CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4239 – Real Estate Manager <= 7.2 - Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-4239
08 Aug 2023 — The Real Estate Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7.1 due to insufficient restriction on the 'rem_save_profile_front' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update. El plugin Real Estate Manager para WordPress es vulnerable a la escalada de privilegios en versiones hasta, e incluyendo... • https://plugins.trac.wordpress.org/browser/real-estate-manager/tags/6.7.1/classes/shortcodes.class.php#L1439 • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2009-4318
https://notcve.org/view.php?id=CVE-2009-4318
14 Dec 2009 — Cross-site scripting (XSS) vulnerability in index.php in Real Estate Manager 1.0.1 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Real Estate Manager v1.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML de forma arbitraria a través del parámetro lang. NOTA: Algunos detalles fueron obtenidos de terceras par... • http://packetstormsecurity.org/0912-exploits/rem101-xss.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •