4 results (0.013 seconds)

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1

In the process of testing the Relevanssi WordPress plugin before 4.23.1, a vulnerability was found that allows you to implement Stored XSS on behalf of the Contributor+ by embedding malicious script, which entails account takeover backdoor The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom name field in all versions up to, and including, 4.23.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/5f25646d-b80b-40b1-bcaf-3b860ddc4059 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request Los complementos Relevanssi de WordPress anterior a 4.22.0 y Relevanssi Premium de WordPress anterior a 2.25.0 permite a cualquier usuario no autenticado leer borradores y publicaciones privadas a través de una solicitud manipulada The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to insufficient limitation of a user controlled key in all versions up to, and including, 4.21.2 (Free) and < 2.25.0 (Premium). This makes it possible for unauthenticated attackers to view private and draft posts that may contain sensitive information. • https://wpscan.com/vulnerability/0c96a128-4473-41f5-82ce-94bba33ca4a3 https://www.relevanssi.com/release-notes/premium-2-25-free-4-22-release-notes • CWE-639: Authorization Bypass Through User-Controlled Key CWE-862: Missing Authorization •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

Cross-site scripting (XSS) vulnerability in lib/interface.php of the Relevanssi plugin 4.0.4 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the tab GET parameter. Vulnerabilidad de Cross-Site Scripting (XSS) en lib/interface.php en el plugin Relevanssi 4.0.4 para WordPress permite que atacantes remotos inyecten JavaScript o HTML arbitrarios mediante el parámetro GET. WordPress Relevanssi plugin version 4.0.4 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/44366 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

The Relevanssi Premium plugin before 1.14.6.1 for WordPress has SQL injection with resultant unsafe unserialization. El plugin Relevanssi Premium versiones anteriores a 1.14.6.1 para WordPress, presenta una inyección SQL con una deserialización no segura resultante. • https://advisories.dxw.com/advisories/sql-injection-and-unserialization-vulnerability-in-relevanssi-premium-could-allow-admins-to-execute-arbitrary-code-in-some-circumstances • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •