2 results (0.018 seconds)

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-6938 – Oxygen Builder <= 4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field

https://notcve.org/view.php?id=CVE-2023-6938

The Oxygen Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom field in all versions up to, and including, 4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Version 4.8.1 of the Oxygen Builder plugin for WordPress addresses this vulnerability by implementing an optional filter to provide output escaping for dynamic data. Please see https://oxygenbuilder.com/documentation/other/security/#filtering-dynamic-data for more details. El complemento Oxygen Builder para WordPress es vulnerable a Cross-Site Scripting almacenado a través de un campo personalizado en todas las versiones hasta la 4.8 inclusive debido a una sanitización de entrada y un escape de salida insuficientes. • https://oxygenbuilder.com/oxygen-4-8-1-now-available https://www.wordfence.com/threat-intel/vulnerabilities/id/ee069cb3-370e-48ea-aa35-c30fe83c2498?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-46841 – WordPress Oxygen Builder Plugin < 4.4 is vulnerable to Cross Site Request Forgery (CSRF)

https://notcve.org/view.php?id=CVE-2022-46841

Cross-Site Request Forgery (CSRF) vulnerability in Soflyy Oxygen Builder plugin <= 4.4 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Soflyy Oxygen Builder en versiones &lt;=&#xa0;4.4. The Oxygen plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 4.4. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/oxygen/wordpress-oxygen-builder-plugin-4-6-2-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •