CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10901 – Customer Reviews < 3.0.9 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-10901
The wp-customer-reviews plugin before 3.0.9 for WordPress has XSS in the admin tools. El plugin wp-customer-reviews antes de 3.0.9 para WordPress tiene XSS en las herramientas de administración. The Customer Reviews Plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_debug_code' parameter in versions up to, and including, 3.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wordpress.org/plugins/wp-customer-reviews/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10902 – WP Customer Reviews <= 3.0.8 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2016-10902
The wp-customer-reviews plugin before 3.0.9 for WordPress has CSRF in the admin tools. El plugin wp-customer-reviews antes de 3.0.9 para WordPress tiene CSRF en las herramientas de administración. The Customer Reviews Plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. This is due to missing nonce validation on the 'update_options' function. This makes it possible for unauthenticated attackers modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wordpress.org/plugins/wp-customer-reviews/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •