CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36829 – WordPress Launcher: Coming Soon & Maintenance Mode plugin <= 1.0.11 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-36829
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MyThemeShop Launcher: Coming Soon & Maintenance Mode plugin <= 1.0.11 at WordPress. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Autenticado (admin+) Almacenado en MyThemeShop Launcher: Coming Soon & Maintenance Mode plugin versiones anteriores a 1.0.11 incluyéndola, en WordPress. The Launcher plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/launcher/wordpress-launcher-coming-soon-maintenance-mode-plugin-1-0-11-authenticated-stored-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/launcher • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7411 – Launcher: Coming Soon & Maintenance Mode < 1.0.11 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-7411
Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL). Múltiples ataques de XSS almacenados en el plugin MyThemeShop Launcher, versión 1.0.8, para WordPress permiten a los usuarios remotos autenticados inyectar secuencias de comandos web arbitrarias o HTML a través de los siguientes campos: (1) Título, (2) Favicon, (3) Meta Descripción, (4) Formulario de suscripción (etiqueta de campo de nombre, etiqueta de campo de apellido, etiqueta de campo de correo electrónico), (5) Formulario de contacto (etiqueta de campo de nombre y etiqueta de campo de correo electrónico) y (6) Enlaces sociales (URL de la página de Facebook, URL de la página de Twitter, URL de la página de Instagram, URL de la página de YouTube, URL de la página de Linkedin, URL de la página de Google+, URL de la página de RSS). Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin before 1.0.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL). • https://metamorfosec.com/Files/Advisories/METS-2019-002-Multiple_Stored_XSS_Vulnerabilities_in_the_MyThemeShop_Launcher_plugin_v1.0.8_for_WordPress.txt https://wpvulndb.com/vulnerabilities/9275 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 0CVE-2018-17707 – Epic Games Launcher Protocol Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2018-17707
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Epic Games Launcher versions prior to 8.2.2. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handler for the com.epicgames.launcher protocol. A crafted URI with the com.epicgames.launcher protocol can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of the current user. • https://www.zerodayinitiative.com/advisories/ZDI-18-1359 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •