Page 2 of 7 results (0.005 seconds)

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

The SEOPress WordPress plugin before 6.5.0.3 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. The SEOPress plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 6.5.0.2 via deserialization of untrusted input of the $redirect_value['sources'] value triggered to an import with the seopress_import_rk_redirections function. This allows authenticated attackers, with administrator-level privileges, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://wpscan.com/vulnerability/fb8791f5-2879-431e-9afc-06d5839e4b9d • CWE-502: Deserialization of Untrusted Data •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 2

The SEOPress WordPress plugin is vulnerable to Stored Cross-Site-Scripting via the processPut function found in the ~/src/Actions/Api/TitleDescriptionMeta.php file which allows authenticated attackers to inject arbitrary web scripts, in versions 5.0.0 - 5.0.3. El plugin SEOPress de WordPress, es vulnerable a un ataque de tipo Cross-Site-Scripting Almacenado por medio de la función processPut encontrada en el archivo ~/src/Actions/Api/TitleDescriptionMeta.php que permite a atacantes autenticados inyectar scripts web arbitrario, en las versiones 5.0.0 - 5.0.3. • https://plugins.trac.wordpress.org/browser/wp-seopress/tags/5.0.4/src/Actions/Api/TitleDescriptionMeta.php#L78 https://www.wordfence.com/blog/2021/08/xss-vulnerability-patched-in-seopress-affects-100000-sites • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •