CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36346 – WordPress MaxButtons plugin <= 9.2 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-36346
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Max Foundry MaxButtons plugin <= 9.2 at WordPress. Múltiples vulnerabilidades de tipo Cross-Site Request Forgery (CSRF) en el plugin Max Foundry MaxButtons versiones anteriores a 9.2 incluyéndola, en WordPress. The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 9.2. This is due to missing or incorrect nonce validation on the handlePost function. This makes it possible for unauthenticated attackers to change plugin settings via forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/maxbuttons/wordpress-maxbuttons-plugins-9-2-multiple-cross-site-request-forgery-csrf-vulnerabilities https://wordpress.org/plugins/maxbuttons/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-2169 – MaxButtons <= 6.18 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-2169
Cross-site scripting vulnerability in MaxButtons prior to version 6.19 and MaxButtons Pro prior to version 6.19 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-Site Scripting (XSS) en versiones anteriores a la 6.19 de MaxButtons y hasta la 6.19 de MaxButtons Pro permite a atacantes remotos inyectar scripts web o HTML arbitrarios utilizando vectores no especificados. • http://jvndb.jvn.jp/jvndb/JVNDB-2017-000093 https://jvn.jp/en/jp/JVN70411623/index.html https://wordpress.org/plugins/maxbuttons/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2014-7181 – MaxButtons < 1.26.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-7181
Cross-site scripting (XSS) vulnerability in the Max Foundry MaxButtons plugin before 1.26.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter in a button action on the maxbuttons-controller page to wp-admin/admin.php, related to the button creation page. Vulnerabilidad de XSS en el plugin Max Foundry MaxButtons anterior a 1.26.1 para Wordpress permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro id en una acción de botón en la página maxbuttons-controller a wp-admin/admin.php, relacionado con el botón de creación de páginas. Reflected Cross-site scripting (XSS) vulnerability in the Max Foundry MaxButtons plugin before 1.26.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter in a button action on the maxbuttons-controller page to wp-admin/admin.php, related to the button creation page. CVE-2014-125092 appears to be a duplicate of this issue. WordPress MaxButtons plugin version 1.26.0 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/128693/WordPress-MaxButtons-1.26.0-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/533700/100/0/threaded https://wordpress.org/plugins/maxbuttons/changelog https://www.htbridge.com/advisory/HTB23237 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •