CVE-2024-4626 – JetWidgets For Elementor <= 1.0.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via layout_type and id Parameters
https://notcve.org/view.php?id=CVE-2024-4626
The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘layout_type’ and 'id' parameters in all versions up to, and including, 1.0.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento JetWidgets For Elementor para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de los parámetros 'layout_type' e 'id' en todas las versiones hasta la 1.0.17 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset/3103042/jetwidgets-for-elementor/tags/1.0.18/includes/addons/jet-widgets-image-comparison.php https://plugins.trac.wordpress.org/changeset/3103042/jetwidgets-for-elementor/tags/1.0.18/includes/addons/jet-widgets-images-layout.php https://www.wordfence.com/threat-intel/vulnerabilities/id/4457d15e-2c01-498d-b94a-a6e93adcf70c?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-48762 – WordPress JetElements For Elementor Plugin <= 2.6.13 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-48762
Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.13. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Crocoblock JetElements para Elementor. Este problema afecta a JetElements para Elementor: desde n/a hasta 2.6.13. Multiple plugins by Crocoblock for WordPress are vulnerable to Cross-Site Request Forgery in various versions. This is due to missing or incorrect nonce validation on an unknown function. • https://patchstack.com/database/vulnerability/jet-elements/wordpress-jetelements-for-elementor-plugin-2-6-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-39157 – WordPress JetElements For Elementor Plugin <= 2.6.10 is vulnerable to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2023-39157
Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.10. Vulnerabilidad de control inadecuado de generación de código ("inyección de código") en Crocoblock JetElements For Elementor. Este problema afecta a JetElements for Elementor: desde n/a hasta 2.6.10. The JetElements plugins for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.6.10 via the render_meta() function that passes user supplied input to call_user_func_array(). This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. • https://patchstack.com/database/vulnerability/jet-elements/wordpress-jetelements-for-elementor-plugin-2-6-10-authenticated-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-33212 – WordPress JetFormBuilder Plugin <= 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-33212
Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetFormBuilder — Dynamic Blocks Form Builder plugin <= 3.0.6 versions. The JetFormBuilder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.6. This is due to missing or incorrect nonce validation on the 'do_admin_action' function. This makes it possible for unauthenticated attackers to perform various administrative tasks in the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/jetformbuilder/wordpress-jetformbuilder-plugin-3-0-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-1406 – JetEngine < 3.1.3.1 - Author+ Remote Code Execution
https://notcve.org/view.php?id=CVE-2023-1406
The JetEngine WordPress plugin before 3.1.3.1 includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability. The Crocoblock JetEngine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in versions up to, and including, 3.1.3. This makes it possible for authenticated attackers with author-level permissions and above to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://wpscan.com/vulnerability/2a81b6b1-2339-4889-9c28-1af133df8b65 • CWE-434: Unrestricted Upload of File with Dangerous Type •