CVE-2023-0368 – Responsive Tabs For WPBakery Page Builder <= 1.1 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0368
The Responsive Tabs For WPBakery Page Builder (formerly Visual Composer) WordPress plugin through 1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks The Responsive Tabs For WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/b41e5c09-1034-48a7-ac0f-d4db6e7a3b3e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-22688 – WordPress WP Tabs Slides Plugin <= 2.0.3 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-22688
Cross-Site Request Forgery (CSRF) vulnerability in Abdul Ibad WP Tabs Slides plugin <= 2.0.3 versions. The WP Tabs Slides plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.3. This is due to missing or incorrect nonce validation on the optionsAction function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wordpress-tabs-slides/wordpress-wp-tabs-slides-plugin-2-0-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-40215 – WordPress Tabs plugin <= 3.7.1 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-40215
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in Tabs plugin <= 3.7.1 at WordPress. Múltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) Almacenado y Autenticado en el plugin Tabs versiones anteriores a 3.7.1 de WordPress. The Tabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with high-level permissions, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/vc-tabs/wordpress-tabs-plugin-3-7-1-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities/_s_id=cve https://wordpress.org/plugins/vc-tabs • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-4373
https://notcve.org/view.php?id=CVE-2015-4373
Cross-site scripting (XSS) vulnerability in the OG tabs module before 7.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to nodes posted in an Organic Groups group. Vulnerabilidad de XSS en el módulo OG tabs anterior a 7.x-1.1 para Drupal permite a usuarios remotos autenticados con ciertos permisos inyectar secuencias de comandos web arbitrarios o HTML a través de vectores relacionados con nodos publicados en un grupo Organic Groups. • http://www.openwall.com/lists/oss-security/2015/04/25/6 http://www.securityfocus.com/bid/73054 https://www.drupal.org/node/2404115 https://www.drupal.org/node/2450427 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-4406
https://notcve.org/view.php?id=CVE-2013-4406
The Quick Tabs module 6.x-2.x before 6.x-2.2, 6.x-3.x before 6.x-3.2, and 7.x-3.x before 7.x-3.6 for Drupal does not properly check block permissions, which allows remote attackers to obtain sensitive information by reading a Quick Tab. El módulo Quick Tabs 6.x-2.x anterior a 6.x-2.2, 6.x-3.x anterior a 6.x-3.2 y 7.x-3.x anterior a 7.x-3.6 para Drupal no comprueba debidamente permisos de bloque, lo que permite a atacantes remotos obtener información sensible mediante la lectura de una Quick Tab. • http://www.openwall.com/lists/oss-security/2013/10/04/14 http://www.openwall.com/lists/oss-security/2013/10/05/1 https://drupal.org/node/2103113 https://drupal.org/node/2103121 https://drupal.org/node/2103127 https://drupal.org/node/2103187 • CWE-264: Permissions, Privileges, and Access Controls •