CVE-2022-4491 – WP Table Reloaded <= 1.9.4 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-4491
The WP-Table Reloaded WordPress plugin through 1.9.4 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privilege users such as admins. The WP-Table Reloaded plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 1.9.4 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/b62d8fa6-d546-4794-8f7a-c5e4a7f607dc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-1463 – WP-Table Reloaded <= 1.9.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-1463
Cross-site scripting (XSS) vulnerability in js/tabletools/zeroclipboard.swf in the WP-Table Reloaded module before 1.9.4 for Wordpress allows remote attackers to inject arbitrary web script or HTML via the id parameter. NOTE: this might be the same vulnerability as CVE-2013-1808. If so, it is likely that CVE-2013-1463 will be REJECTed. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en js/tabletools/zeroclipboard.swf en el módulo WP-Table Reloaded anterior a v1.9.4 para Wordpress, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro id. Cross-site scripting (XSS) vulnerability in js/tabletools/zeroclipboard.swf in the WP-Table Reloaded module before 1.9.4 for Wordpress allows remote attackers to inject arbitrary web script or HTML via the id parameter. • https://www.exploit-db.com/exploits/38251 http://osvdb.org/89754 http://packetstormsecurity.com/files/119968/WordPress-WP-Table-Reloaded-Cross-Site-Scripting.html http://secunia.com/advisories/52027 http://tobias.baethge.com/2013/01/maintenance-release-wp-table-reloaded-1-9-4 http://www.securityfocus.com/bid/57664 https://exchange.xforce.ibmcloud.com/vulnerabilities/81748 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •