CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0672 – Pz-LinkCard <= 2.5.1 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-0672
The Pz-LinkCard WordPress plugin through 2.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin El complemento Pz-LinkCard de WordPress hasta la versión 2.5.1 no sanitiza ni escapa un parámetro antes de devolverlo a la página, lo que genera una cross-site scripting reflejado que podría usarse contra usuarios con privilegios elevados, como el administrador. The Pz-LinkCard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/eceb6585-5969-4aa6-9908-b6bfb578190a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0677 – Pz-LinkCard <= 2.5.1 - Contributor+ SSRF
https://notcve.org/view.php?id=CVE-2024-0677
The Pz-LinkCard WordPress plugin through 2.5.1 does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks. El complemento Pz-LinkCard de WordPress hasta la versión 2.5.1 no impide que los usuarios hagan ping a hosts arbitrarios a través de algunos de sus códigos cortos, lo que podría permitir a usuarios con altos privilegios, como los contribuyentes, realizar ataques SSRF. The Pz-LinkCard plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.2 via shortcode. This makes it possible for authenticated attackers, with contributor access or higher, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. • https://wpscan.com/vulnerability/0f7757c9-69fa-49db-90b0-40f0ff29bee7 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0673 – Pz-LinkCard <= 2.5.1 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-0673
The Pz-LinkCard WordPress plugin through 2.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El complemento Pz-LinkCard para WordPress hasta la versión 2.5.1 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de cross-site scripting incluso cuando unfiltered_html no está permitido. The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/d80e725d-356a-4997-a352-33565e291fc8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47790 – WordPress Pz-LinkCard Plugin <= 2.4.8 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-47790
Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability in Poporon Pz-LinkCard plugin <= 2.4.8 versions. Cross-Site Request Forgery (CSRF) conduce a una vulnerabilidad de Cross-Site Scripting (XSS) en el complemento Poporon Pz-LinkCard en versiones <= 2.4.8. The Pz-LinkCard plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the page_cacheman function. This makes it possible for unauthenticated attackers to manage the plugin's caching functionality via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/pz-linkcard/wordpress-pz-linkcard-plugin-2-4-8-cross-site-request-forgery-csrf-to-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25012 – Pz-LinkCard <= 2.4.4.4 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25012
The Pz-LinkCard WordPress plugin through 2.4.4.4 does not sanitise and escape multiple parameters before outputting them back in admin dashboard pages, leading to Reflected Cross-Site Scripting issues El plugin Pz-LinkCard de WordPress versiones hasta 2.4.4.4, no sanea y escapa de múltiples parámetros antes de devolverlos en las páginas del panel de control del administrador, conllevando a problemas de tipo Cross-Site Scripting Reflejado The Pz-LinkCard plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 2.4.5.1 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser. • https://wpscan.com/vulnerability/b126d2fc-6cc7-4c18-b95e-d32c2effcc4f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •