CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35780 – WordPress Page Builder: Live Composer plugin <= 1.5.42 - Contributor+ PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-35780
Deserialization of Untrusted Data vulnerability in Live Composer Team Page Builder: Live Composer.This issue affects Page Builder: Live Composer: from n/a through 1.5.42. Vulnerabilidad de deserialización de datos no confiables en Live Composer Team Page Builder: Live Composer. Este problema afecta a Page Builder: Live Composer: desde n/a hasta 1.5.42. The Page Builder: Live Composer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.42 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. • https://patchstack.com/database/vulnerability/live-composer-page-builder/wordpress-page-builder-live-composer-plugin-1-5-42-contributor-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35765 – WordPress Greenshift – animation and page builder blocks plugin <= 8.8.9.1 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-35765
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wpsoul Greenshift – animation and page builder blocks allows Stored XSS.This issue affects Greenshift – animation and page builder blocks: from n/a through 8.8.9.1. Vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Wpsoul Greenshift – animation and page builder blocks permiten XSS Almacenado. Este problema afecta a Greenshift – animation and page builder blocks: desde n/a hasta 8.8. 9.1. The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's social share block in all versions up to, and including, 8.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/greenshift-animation-and-page-builder-blocks/wordpress-greenshift-animation-and-page-builder-blocks-plugin-8-8-9-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35747 – WordPress Contact Form Builder, Contact Widget plugin <= 2.1.7 - Bypass Vulnerability vulnerability
https://notcve.org/view.php?id=CVE-2024-35747
Improper Restriction of Excessive Authentication Attempts vulnerability in wpdevart Contact Form Builder, Contact Widget allows Functionality Bypass.This issue affects Contact Form Builder, Contact Widget: from n/a through 2.1.7. Vulnerabilidad de restricción inadecuada de intentos de autenticación excesivos en wpdevart Contact Form Builder, Contact Widget permite omitir la funcionalidad. Este problema afecta a Contact Form Builder, Contact Widget: desde n/a hasta 2.1.7. The Contact Form Builder, Contact Widget plugin for WordPress is vulnerable to protection bypass in all versions up to, and including, 2.1.7. This is due to the plugin not properly restricting authentication attempts. • https://patchstack.com/database/vulnerability/contact-forms-builder/wordpress-contact-form-builder-contact-widget-plugin-2-1-7-bypass-vulnerability-vulnerability?_s_id=cve • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4662 – Oxygen Builder <= 4.8.2 - Authenticated (Contributor+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-4662
The Oxygen Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.8.2 via post metadata. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for lower privileged users, such as contributors, to inject arbitrary PHP code via the WordPress user interface and gain elevated privileges. El complemento Oxygen Builder para WordPress es vulnerable a la ejecución remota de código en todas las versiones hasta la 4.8.2 incluida a través de metadatos de publicación. Esto se debe a que el complemento almacena datos personalizados en metadatos de publicación sin un prefijo de guión bajo. • https://oxygenbuilder.com/oxygen-4-8-3-now-available-security-update https://www.wordfence.com/threat-intel/vulnerabilities/id/8706c3f6-64e0-440e-a802-5c80d9cc3643?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34752 – WordPress Landing Page Builder <= 1.5.1.8 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-34752
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PluginOps Landing Page Builder allows Reflected XSS.This issue affects Landing Page Builder: from n/a through 1.5.1.8. La vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en PluginOps Landing Page Builder permite el XSS reflejado. Este problema afecta al Landing Page Builder: desde n/a hasta 1.5.1.8. The Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the pageType parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/page-builder-add/wordpress-landing-page-builder-1-5-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •