CVE-2024-37121 – WordPress Shortcode Addons plugin <= 3.2.5 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-37121
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in biplob018 Shortcode Addons allows Stored XSS.This issue affects Shortcode Addons: from n/a through 3.2.5. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en biplob018 Shortcode Addons permiten XSS almacenado. Este problema afecta a los complementos de Shortcode Addons: desde n/a hasta 3.2.5. The Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/shortcode-addons/wordpress-shortcode-addons-plugin-3-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-31114 – WordPress Shortcode Addons <= 3.2.5 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-31114
Unrestricted Upload of File with Dangerous Type vulnerability in biplob018 Shortcode Addons.This issue affects Shortcode Addons: from n/a through 3.2.5. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en complementos de código corto biplob018. Este problema afecta a los complementos de código corto: desde n/a hasta 3.2.5. The Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.2.5. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/shortcode-addons/wordpress-shortcode-addons-3-2-5-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2022-33970 – WordPress Shortcode Addons plugin <= 3.1.2 - Authenticated WordPress Options Change vulnerability
https://notcve.org/view.php?id=CVE-2022-33970
Authenticated WordPress Options Change vulnerability in Biplob018 Shortcode Addons plugin <= 3.1.2 at WordPress. Vulnerabilidad de cambio de opciones de WordPress autenticado en el plugin Biplob018 Shortcode Addons versiones anteriores a 3.1.2 incluyéndola, en WordPress The "Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension" plugin for WordPress is vulnerable to arbitrary options update in versions up to, and including, 3.1.2. This makes it possible for authenticated attackers to modify arbitrary site options that can be used for complete site takeover. • https://patchstack.com/database/vulnerability/shortcode-addons/wordpress-shortcode-addons-plugin-3-1-2-authenticated-wordpress-options-change-vulnerability https://wordpress.org/plugins/shortcode-addons/#developers • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVE-2022-34487 – WordPress Shortcode Addons plugin <= 3.0.2 - Unauthenticated Arbitrary Option Update vulnerability
https://notcve.org/view.php?id=CVE-2022-34487
Unauthenticated Arbitrary Option Update vulnerability in biplob018's Shortcode Addons plugin <= 3.0.2 at WordPress. Una vulnerabilidad de actualización de opciones arbitrarias no autenticada en el plugin Shortcode Addons de biplob018 versiones anteriores a 3.0.2 incluyéndola, en WordPress The "Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension" plugin for WordPress is vulnerable to arbitrary options update in versions up to, and including, 3.0.2. This is due to improperly configured capability checking via the permission_callback on the ShortCodeAddonsUltimate/v2/ REST API Endpoint. This makes it possible for unauthenticated attackers to modify arbitrary site options that can be used for complete site takeover. • https://patchstack.com/database/vulnerability/shortcode-addons/wordpress-shortcode-addons-plugin-3-0-3-unauthenticated-arbitrary-option-update-vulnerability https://wordpress.org/plugins/shortcode-addons/#developers • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •