CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-7411 – Launcher: Coming Soon & Maintenance Mode < 1.0.11 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-7411
Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL). Múltiples ataques de XSS almacenados en el plugin MyThemeShop Launcher, versión 1.0.8, para WordPress permiten a los usuarios remotos autenticados inyectar secuencias de comandos web arbitrarias o HTML a través de los siguientes campos: (1) Título, (2) Favicon, (3) Meta Descripción, (4) Formulario de suscripción (etiqueta de campo de nombre, etiqueta de campo de apellido, etiqueta de campo de correo electrónico), (5) Formulario de contacto (etiqueta de campo de nombre y etiqueta de campo de correo electrónico) y (6) Enlaces sociales (URL de la página de Facebook, URL de la página de Twitter, URL de la página de Instagram, URL de la página de YouTube, URL de la página de Linkedin, URL de la página de Google+, URL de la página de RSS). Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin before 1.0.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL). • https://metamorfosec.com/Files/Advisories/METS-2019-002-Multiple_Stored_XSS_Vulnerabilities_in_the_MyThemeShop_Launcher_plugin_v1.0.8_for_WordPress.txt https://wpvulndb.com/vulnerabilities/9275 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18568 – My WP Translate <= 1.0.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18568
The my-wp-translate plugin before 1.0.4 for WordPress has XSS. El plugin my-wp-translate antes de 1.0.4 para WordPress tiene XSS. The My WP Translate plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on the 'tab' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser. • https://wordpress.org/plugins/my-wp-translate/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18569 – My WP Translate <= 1.0.3 - Unprotected AJAX Actions
https://notcve.org/view.php?id=CVE-2017-18569
The my-wp-translate plugin before 1.0.4 for WordPress has CSRF. El plugin my-wp-translate antes de 1.0.4 para WordPress tiene CSRF. The My WP Translate plugin for WordPress is vulnerable to an authorization bypass weakness in versions up to, and including, 1.0.3. This is due to missing capability checks and nonce validation on the following functions: ajax_translation_panel(), ajax_save_translation(), ajax_add_plugin(), ajax_remove_plugin(), ajax_save_state(), ajax_import_strings(), and ajax_update_export_code(). This makes it possible for low-privileged authenticated attackers to perform a wide variety of actions such as adding or removing plugins. • https://wordpress.org/plugins/my-wp-translate/#developers • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •