CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41612 – WordPress Similar Posts Plugin <= 3.1.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-41612
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Shareaholic Similar Posts plugin <= 3.1.6 versions. The Similar Posts – Best Related Posts Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for attackers authenticated as an administrator to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/similar-posts/wordpress-similar-posts-plugin-3-1-6-auth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24537 – Similar Posts <= 3.1.5 - Admin+ Arbitrary PHP Code Execution
https://notcve.org/view.php?id=CVE-2021-24537
The Similar Posts WordPress plugin through 3.1.5 allow high privilege users to execute arbitrary PHP code in an hardened environment (ie with DISALLOW_FILE_EDIT, DISALLOW_FILE_MODS and DISALLOW_UNFILTERED_HTML set to true) via the 'widget_rrm_similar_posts_condition' widget setting of the plugin. El plugin Similar Posts de WordPress versiones hasta 3.1.5 permite a usuarios muy privilegiados ejecutar código PHP arbitrario en un entorno reforzado (es decir, con DISALLOW_FILE_EDIT, DISALLOW_FILE_MODS y DISALLOW_UNFILTERED_HTML configurados como verdaderos) por medio de la configuración del widget "widget_rrm_similar_posts_condition" del plugin • https://wpscan.com/vulnerability/0d6b46cb-5244-486f-ad70-4023907ac9eb • CWE-94: Improper Control of Generation of Code ('Code Injection') •