CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3248 – All-in-one Floating Contact Form < 2.1.2 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-3248
03 Jul 2023 — The All-in-one Floating Contact Form WordPress plugin before 2.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The All-in-one Floating Contact Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.1.1 due to insufficient input sanitization and o... • https://wpscan.com/vulnerability/90c7496b-552f-4566-b7ae-8c953c965352 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0487 – My Sticky Elements < 2.0.9 - Admin+ SQLi
https://notcve.org/view.php?id=CVE-2023-0487
09 Feb 2023 — The My Sticky Elements WordPress plugin before 2.0.9 does not properly sanitise and escape a parameter before using it in a SQL statement when deleting messages, leading to a SQL injection exploitable by high privilege users such as admin The My Sticky Elements plugin for WordPress is vulnerable to SQL Injection via the 'delete_message' parameter in versions up to, and including, 2.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. T... • https://wpscan.com/vulnerability/0e874a1d-c866-45fa-b456-c8012dca32af • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •