CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2857 – Simple Buttons Creator <= 1.04 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2024-2857
The Simple Buttons Creator WordPress plugin through 1.04 does not have any authorisation as well as CSRF in its add button function, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins. El complemento Simple Buttons Creator de WordPress hasta la versión 1.04 no tiene ninguna autorización ni CSRF en su función de agregar botón, lo que permite a usuarios no autenticados llamarlos directamente o mediante ataques CSRF. Además, debido a la falta de sanitización y escape, también podría permitirles realizar ataques de Cross-Site Scripting Almacenado contra administradores que hayan iniciado sesión. The Simple Buttons Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "Add Button" functionality in all versions up to, and including, 1.04 due to insufficient input sanitization and output escaping. • https://wpscan.com/vulnerability/b7a35c5b-474a-444a-85ee-c50782c7a6c2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 2CVE-2024-2858 – Simple Buttons Creator <= 1.04 - Aribtrary Button Deletion via CSRF
https://notcve.org/view.php?id=CVE-2024-2858
The Simple Buttons Creator WordPress plugin through 1.04 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks El complemento Simple Buttons Creator de WordPress hasta la versión 1.04 no tiene comprobaciones CSRF en algunos lugares, lo que podría permitir a los atacantes hacer que los usuarios que han iniciado sesión realicen acciones no deseadas a través de ataques CSRF. The Simple Buttons Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.04. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to delete arbitrary buttons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://github.com/Alaatk/CVE-2024-28589 https://wpscan.com/vulnerability/43297210-17a6-4b51-b8ca-32ceef9fc09a • CWE-352: Cross-Site Request Forgery (CSRF) •