CVE-2023-23758 – Extension - creative-solutions.net - SQLi in Creative Gallery component for Joomla <= 2.2.0
https://notcve.org/view.php?id=CVE-2023-23758
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection. • https://extensions.joomla.org/extension/creative-gallery • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-37988 – WordPress Contact Form Generator Plugin <= 2.5.5 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-37988
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Creative Solutions Contact Form Generator plugin <= 2.5.5 versions. The Contact Form Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the id parameter in versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. WordPress Contact Form Generator plugin version 2.5.5 suffers from a cross site scripting vulnerability. • https://github.com/codeb0ss/CVE-2023-37988-PoC http://packetstormsecurity.com/files/174896/WordPress-Contact-Form-Generator-2.5.5-Cross-Site-Scripting.html https://patchstack.com/database/vulnerability/contact-form-generator/wordpress-contact-form-generator-plugin-2-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-30488 – Featured Post Creative <= 1.2.7 - Missing Authorization via wpfp_update_featured_post
https://notcve.org/view.php?id=CVE-2023-30488
The Featured Post Creative plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpfp_update_featured_post function called via a nopriv AJAX action in versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to change what post is featured. • CWE-862: Missing Authorization •
CVE-2022-1562 – Enable SVG < 1.4.0 - Author+ Stored Cross Site Scripting via SVG
https://notcve.org/view.php?id=CVE-2022-1562
The Enable SVG WordPress plugin before 1.4.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads El plugin Enable SVG de WordPress versiones anteriores a 1.4.0 no sanea los archivos SVG subidos, lo que podría permitir a usuarios con un rol tan bajo como el de Autor subir un SVG malicioso que contenga cargas útiles de tipo XSS • https://wpscan.com/vulnerability/8e5b1e4f-c132-42ee-b2d0-7306ab4ab615 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-38546
https://notcve.org/view.php?id=CVE-2021-38546
CREATIVE Pebble devices through 2021-08-09 allow remote attackers to recover speech signals from an LED on the device, via a telescope and an electro-optical sensor, aka a "Glowworm" attack. The power indicator LED of the speakers is connected directly to the power line, as a result, the intensity of a device's power indicator LED is correlative to the power consumption. The sound played by the speakers affects their power consumption and as a result is also correlative to the light intensity of the LEDs. By analyzing measurements obtained from an electro-optical sensor directed at the power indicator LEDs of the speakers, we can recover the sound played by them. Los dispositivos CREATIVE Pebble hasta 09-08-2021, permiten a atacantes remotos recuperar las señales de voz de un LED del dispositivo, por medio de un telescopio y un sensor electro-óptico, también se conoce como un ataque "Glowworm". • https://www.nassiben.com/glowworm-attack •