CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38703 – WordPress Button Plugin MaxButtons plugin <= 9.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-38703
Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Max Foundry Button Plugin MaxButtons plugin <= 9.2 at WordPress Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Autenticado (admin+) en el plugin Max Foundry Buttons versiones anteriores a 9.2 incluyéndola en WordPress. The MaxButtons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/maxbuttons/wordpress-wordpress-button-plugin-maxbuttons-plugin-9-2-authenticated-stored-cross-site-scripting-xss-vulnerability/_s_id=cve https://wordpress.org/plugins/maxbuttons/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36346 – WordPress MaxButtons plugin <= 9.2 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-36346
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Max Foundry MaxButtons plugin <= 9.2 at WordPress. Múltiples vulnerabilidades de tipo Cross-Site Request Forgery (CSRF) en el plugin Max Foundry MaxButtons versiones anteriores a 9.2 incluyéndola, en WordPress. The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 9.2. This is due to missing or incorrect nonce validation on the handlePost function. This makes it possible for unauthenticated attackers to change plugin settings via forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/maxbuttons/wordpress-maxbuttons-plugins-9-2-multiple-cross-site-request-forgery-csrf-vulnerabilities https://wordpress.org/plugins/maxbuttons/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2014-7181 – MaxButtons < 1.26.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-7181
Cross-site scripting (XSS) vulnerability in the Max Foundry MaxButtons plugin before 1.26.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter in a button action on the maxbuttons-controller page to wp-admin/admin.php, related to the button creation page. Vulnerabilidad de XSS en el plugin Max Foundry MaxButtons anterior a 1.26.1 para Wordpress permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro id en una acción de botón en la página maxbuttons-controller a wp-admin/admin.php, relacionado con el botón de creación de páginas. Reflected Cross-site scripting (XSS) vulnerability in the Max Foundry MaxButtons plugin before 1.26.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter in a button action on the maxbuttons-controller page to wp-admin/admin.php, related to the button creation page. CVE-2014-125092 appears to be a duplicate of this issue. WordPress MaxButtons plugin version 1.26.0 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/128693/WordPress-MaxButtons-1.26.0-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/533700/100/0/threaded https://wordpress.org/plugins/maxbuttons/changelog https://www.htbridge.com/advisory/HTB23237 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •