CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4324 – WP Video Lightbox <= 1.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter
https://notcve.org/view.php?id=CVE-2024-4324
The WP Video Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 1.9.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento WP Video Lightbox para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro 'ancho' en todas las versiones hasta la 1.9.10 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/wp-video-lightbox/trunk/misc_functions.php#L60 https://www.wordfence.com/threat-intel/vulnerabilities/id/da2d8494-aea3-4a1e-9eca-946c0bd390cd?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4465 – WP Video Lightbox < 1.9.7 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-4465
The WP Video Lightbox WordPress plugin before 1.9.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Las versiones del complemento WP Video Lightbox de WordPress anteriores a 1.9.7 no validan ni escapan algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría permitir a los usuarios con un rol tan bajo como colaborador realizar ataques de cross-site scripting que podrían ser utilizados contra usuarios con privilegios elevados, como el administrador. The WP Video Lightbox for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 1.9.6 due to insufficient input sanitization and output escaping on supplied attributes. This makes it possible for authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/28abe589-1371-4ed2-90b6-2bb96c93832c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2189 – WP Video Lightbox < 1.9.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2189
The WP Video Lightbox WordPress plugin before 1.9.5 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers El plugin WP Video Lightbox de WordPress versiones anteriores a 1.9.5, no escapa del parámetro $_SERVER["REQUEST_URI"] antes de devolverlo en un atributo, lo que podría conllevar a un ataque de tipo Cross-Site Scripting Reflejado en navegadores antiguos The WP Video Lightbox plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['REQUEST_URI'] parameter in versions up to, and including, 1.9.4 due to insufficient input sanitization and output escaping. This makes it possible for administrative attackers to inject arbitrary web scripts in pages that execute when someone visits an injected page. • https://wpscan.com/vulnerability/b6ed4d64-ee98-41bd-a97a-8350c2a8a546 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24665 – WP Video Lightbox < 1.9.3 - Contributor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24665
The WP Video Lightbox WordPress plugin before 1.9.3 does not escape the attributes of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks El plugin WP Video Lightbox de WordPress versiones anteriores a 1.9.3, no escapa de los atributos de sus shortcodes, permitiendo a usuarios con un rol tan bajo como el de contribuyente llevar a cabo ataques de tipo Cross-Site Scripting • https://wpscan.com/vulnerability/42a8947f-2ae5-4f12-bd3d-ab3716501df5 https://www.fortiguard.com/zeroday/FG-VD-21-059 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •