CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12206 – Wordpress Header Builder Plugin <= 1.3.8 - Cross-Site Request Forgery to Header Deletion
https://notcve.org/view.php?id=CVE-2024-12206
08 Jan 2025 — The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing or incorrect nonce validation on the stm_header_builder page. This makes it possible for unauthenticated attackers to delete arbitrary headers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3218670%40pearl-header-builder&new=3218670%40pearl-header-builder&sfp_email=&sfph_mail= • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5468 – WordPress Header Builder Plugin – Pearl <= 1.3.7 - Missing Authorization to Unauthenticated Arbitrary Site Options Deletion
https://notcve.org/view.php?id=CVE-2024-5468
11 Jun 2024 — The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to unauthorized site option deletion due to a missing validation and capability checks on the stm_hb_delete() function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to delete arbitrary options that can be used to perform a denial of service attack on a site. El complemento WordPress Header Builder Plugin – Pearl para WordPress es vulnerable a la eliminación no autorizada de opci... • https://plugins.trac.wordpress.org/browser/pearl-header-builder/tags/1.3.7/includes/helpers.php#L304 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4000 – WordPress Header Builder Plugin – Pearl <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2024-4000
30 Apr 2024 — The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'stm_hb' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento WordPress Header Builder... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3078437%40pearl-header-builder&new=3078437%40pearl-header-builder&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •