CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24877 – WordPress Wonder Slider Lite Plugin <= 13.9 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2024-24877
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magic Hills Pty Ltd Wonder Slider Lite allows Reflected XSS.This issue affects Wonder Slider Lite: from n/a through 13.9. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Cross-site Scripting') en Magic Hills Pty Ltd Wonder Slider Lite permite Reflected XSS. Este problema afecta a Wonder Slider Lite: desde n/a hasta 13.9. The Wonder Slider Lite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in versions up to, and including, 13.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wonderplugin-slider-lite/wordpress-wonder-slider-lite-plugin-13-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24540 – Wonder Video Embed < 1.8 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2021-24540
The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. El plugin de WordPress Wonder Video Embed versiones anteriores a 1.8, no escapa de los parámetros de su shortcode wonderplugin_video, que podría permitir a usuarios con un rol tan bajo como el de Contributor llevar a cabo ataques de tipo XSS Almacenado. • https://wpscan.com/vulnerability/67910e5d-ea93-418b-af81-c50d0e05d213 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24541 – Wonder PDF Embed < 1.7 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2021-24541
The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. El plugin de WordPress Wonder PDF Embed versiones anteriores a 1.7, no escapa de los parámetros de su shortcode wonderplugin_pdf, que podría permitir a usuarios con un rol tan bajo como el de Contribuyente llevar a cabo ataques de tipo XSS Almacenado. • https://wpscan.com/vulnerability/e6602369-87f4-4454-8298-89cc69f8375c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2015-2199 – WonderPlugin Audio Player <= 2.0 - Blind SQL Injection
https://notcve.org/view.php?id=CVE-2015-2199
Multiple SQL injection vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow (1) remote authenticated users to execute arbitrary SQL commands via the item[id] parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php or remote administrators to execute arbitrary SQL commands via the itemid parameter in the (2) wonderplugin_audio_show_item, (3) wonderplugin_audio_show_items, or (4) wonderplugin_audio_edit_item page to wp-admin/admin.php. Múltiples vulnerabilidades de inyección SQL en el plugin WonderPlugin Audio Player anterior a 2.1 para WordPress permiten a (1) usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro item[id] en una acción wonderplugin_audio_save_item en wp-admin/admin-ajax.php o administradores remotos ejecutar comandos SQL arbitrarios a través del parámetro itemid en la página (2) wonderplugin_audio_show_item, (3) wonderplugin_audio_show_items, o (4) wonderplugin_audio_edit_item en wp-admin/admin.php. • https://www.exploit-db.com/exploits/36086 http://osvdb.org/show/osvdb/118508 http://osvdb.org/show/osvdb/118509 http://security.szurek.pl/wonderplugin-audio-player-20-blind-sql-injection-and-xss.html http://www.exploit-db.com/exploits/36086 http://www.wonderplugin.com/wordpress-audio-player • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •