CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37926 – WordPress WP Accessibility Helper (WAH) plugin <= 0.6.2.9 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-37926
Missing Authorization vulnerability in Alex Volkov WP Accessibility Helper (WAH) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Accessibility Helper (WAH): from n/a through 0.6.2.9. The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wah_update_image_alt() function in all versions up to, and including, 0.6.2.9. This makes it possible for unauthenticated attackers to update image alts. • https://patchstack.com/database/vulnerability/wp-accessibility-helper/wordpress-wp-accessibility-helper-wah-plugin-0-6-2-8-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31423 – WordPress WP Accessibility Helper (WAH) plugin <= 0.6.2.5 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-31423
Missing Authorization vulnerability in Alex Volkov WP Accessibility Helper (WAH).This issue affects WP Accessibility Helper (WAH): from n/a through 0.6.2.5. Vulnerabilidad de autorización faltante en Alex Volkov WP Accessibility Helper (WAH). Este problema afecta a WP Accessibility Helper (WAH): desde n/a hasta 0.6.2.5. The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_attachment_alt() function in versions up to, and including, 0.6.2.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to update attachment alts. • https://patchstack.com/database/vulnerability/wp-accessibility-helper/wordpress-wp-accessibility-helper-wah-plugin-0-6-2-5-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41869 – WP Accessibility Helper (WAH) <= 0.6.2.4 - Missing Authorization via AJAX action
https://notcve.org/view.php?id=CVE-2023-41869
The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to a missing capability check on the wah_update_attachment_title function in versions up to, and including, 0.6.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change attachment titles. • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0150 – WP Accessibility Helper (WAH) < 0.6.0.7 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-0150
The WP Accessibility Helper (WAH) WordPress plugin before 0.6.0.7 does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue El plugin WP Accessibility Helper (WAH) de WordPress versiones anteriores a 0.6.0.7, no sanea ni escapa del parámetro wahi antes de devolver su valor decodificado en base64 en la página, conllevando a un problema de tipo Cross-Site Scripting Reflejado. • https://plugins.trac.wordpress.org/changeset/2661008 https://wpscan.com/vulnerability/7142a538-7c3d-4dd0-bd2c-cbd2efaf53c5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •