CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3986 – SportsPress < 2.7.22 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-3986
The SportsPress WordPress plugin before 2.7.22 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/76c78f8e-e3da-47d9-9bf4-70e9dd125b82 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34824 – WordPress SportsPress – Sports Club & League Manager plugin <= 2.7.20 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-34824
Missing Authorization vulnerability in ThemeBoy SportsPress – Sports Club & League Manager.This issue affects SportsPress – Sports Club & League Manager: from n/a through 2.7.20. Vulnerabilidad de autorización faltante en ThemeBoy SportsPress – Sports Club & League Manager. Este problema afecta a SportsPress – Sports Club & League Manager: desde n/a hasta 2.7.20. The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the add_notices() function in versions up to, and including, 2.7.20. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices. • https://patchstack.com/database/vulnerability/sportspress/wordpress-sportspress-sports-club-league-manager-plugin-2-7-20-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24578 – SportsPress < 2.7.9 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24578
The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue El plugin SportsPress de WordPress versiones anteriores a 2.7.9, no sanea y escapa de su parámetro match_day antes de devolverlo a la página del backend de Eventos, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/69351798-c790-42d4-9485-1813cd325769 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13892 – SportsPress <= 2.7.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-13892
The SportsPress plugin before 2.7.2 for WordPress allows XSS. El plugin SportsPress versiones anteriores a 2.7.2 para WordPress, permite un ataque de tipo XSS • https://wpvulndb.com/vulnerabilities/10257 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •