CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34824 – WordPress SportsPress – Sports Club & League Manager plugin <= 2.7.20 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-34824
Missing Authorization vulnerability in ThemeBoy SportsPress – Sports Club & League Manager.This issue affects SportsPress – Sports Club & League Manager: from n/a through 2.7.20. Vulnerabilidad de autorización faltante en ThemeBoy SportsPress – Sports Club & League Manager. Este problema afecta a SportsPress – Sports Club & League Manager: desde n/a hasta 2.7.20. The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the add_notices() function in versions up to, and including, 2.7.20. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices. • https://patchstack.com/database/vulnerability/sportspress/wordpress-sportspress-sports-club-league-manager-plugin-2-7-20-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1178 – SportsPress – Sports Club & League Manager <= 2.7.17 - Missing Authorization to Unauthenticated Event Permalink Update
https://notcve.org/view.php?id=CVE-2024-1178
The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings_save() function in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to update the permalink structure for the clubs El complemento SportsPress – Sports Club & League Manager para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función settings_save() en todas las versiones hasta la 2.7.17 incluida. Esto hace posible que atacantes no autenticados actualicen la estructura de enlaces permanentes de los clubes. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3043889%40sportspress&new=3043889%40sportspress&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/098dfee2-ba0b-420f-89ed-8ad1e41faec4?source=cve • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24578 – SportsPress < 2.7.9 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24578
The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue El plugin SportsPress de WordPress versiones anteriores a 2.7.9, no sanea y escapa de su parámetro match_day antes de devolverlo a la página del backend de Eventos, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/69351798-c790-42d4-9485-1813cd325769 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13892 – SportsPress <= 2.7.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-13892
The SportsPress plugin before 2.7.2 for WordPress allows XSS. El plugin SportsPress versiones anteriores a 2.7.2 para WordPress, permite un ataque de tipo XSS • https://wpvulndb.com/vulnerabilities/10257 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •