CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10533 – WP Chat App <= 3.6.8 - Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation
https://notcve.org/view.php?id=CVE-2024-10533
The WP Chat App plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the ajax_install_plugin() function in all versions up to, and including, 3.6.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the filebird plugin. • https://plugins.trac.wordpress.org/browser/wp-whatsapp/tags/3.6.7/includes/Cross.php#L206 https://plugins.trac.wordpress.org/browser/wp-whatsapp/trunk/includes/Cross.php#L206 https://plugins.trac.wordpress.org/changeset/3186930/wp-whatsapp/trunk/includes/Cross.php https://www.wordfence.com/threat-intel/vulnerabilities/id/26f73bfe-f41a-4045-9d72-21181a9a704f?source=cve • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10055 – Click to Chat – WP Support All-in-One Floating Widget <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpsaio_snapchat Shortcode
https://notcve.org/view.php?id=CVE-2024-10055
The Click to Chat – WP Support All-in-One Floating Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsaio_snapchat shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Click to Chat – WP Support All-in-One Floating Widget para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del código corto wpsaio_snapchat del complemento en todas las versiones hasta la 2.3.3 incluida, debido a una desinfección de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten secuencias de comandos web arbitrarias en páginas que se ejecutarán siempre que un usuario acceda a una página inyectada. The Click to Chat – WP Support All-in-One Floating Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsaio_snapchat shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. • https://plugins.trac.wordpress.org/changeset/3169768 https://wordpress.org/plugins/support-chat/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c13600-0791-4ade-9c28-f43f164aedae?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7031 – File Manager Pro – Filester <= 1.8.2 - Authenticated Plugin Settings Update
https://notcve.org/view.php?id=CVE-2024-7031
The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'njt_fs_saveSettingRestrictions' function in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with a role that has been granted permissions by an Administrator, to update the plugin settings for user role restrictions, including allowing file types such as .php to be uploaded. • https://plugins.trac.wordpress.org/browser/filester/trunk/includes/File_manager/FileManager.php#L566 https://plugins.trac.wordpress.org/changeset/3129722 https://www.wordfence.com/threat-intel/vulnerabilities/id/aef584bd-60a5-4bf2-b8d3-58e3b45e785e?source=cve • CWE-862: Missing Authorization •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4664 – WP Chat App < 3.6.5 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-4664
The WP Chat App WordPress plugin before 3.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. El complemento de WordPress de WP Chat App anterior a 3.6.5 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios, como administradores, realizar ataques de Cross Site Scripting incluso cuando unfiltered_html no está permitido. The WP Chat App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/46ada0b4-f3cd-44fb-a568-3345e639bdb6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5607 – GDPR CCPA Compliance & Cookie Consent Banner <= 2.7.0 - Missing Authorization to Settings Update and Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-5607
The GDPR CCPA Compliance & Cookie Consent Banner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions named ajaxUpdateSettings() in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings, update page content, send arbitrary emails and inject malicious web scripts. El complemento GDPR CCPA Compliance & Cookie Consent Banner para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en varias funciones denominadas ajaxUpdateSettings() en todas las versiones hasta la 2.7.0 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, modifiquen la configuración del complemento, actualicen el contenido de la página, envíen correos electrónicos arbitrarios e inyecten scripts web maliciosos. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3097680%40ninja-gdpr-compliance&new=3097680%40ninja-gdpr-compliance&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/b8f870a6-26a5-4f98-9bd6-12736c561265?source=cve • CWE-862: Missing Authorization •