CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4629 – Product Slider for WooCommerce < 2.6.4 - Contributor+ Stored XSS in Shortcode
https://notcve.org/view.php?id=CVE-2022-4629
28 Dec 2022 — The Product Slider for WooCommerce WordPress plugin before 2.6.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. El complemento Product Slider for WooCommerce WordPress anterior a 2.6.4 no valida ni escapa algunos de sus atributos de shortcode antes de devolverlos a la página, lo que po... • https://wpscan.com/vulnerability/cf0a51f9-21d3-4ae8-b7d2-361921038fe8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4648 – Real Testimonials < 2.6.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-4648
22 Dec 2022 — The Real Testimonials WordPress plugin before 2.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. El complemento Real Testimonials de WordPress anterior a 2.6.0 no valida ni escapa algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría permitir a los ... • https://wpscan.com/vulnerability/9bbfb664-5b83-452b-82bb-562a1e18eb65 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2382 – Product Slider for WooCommerce < 2.5.7 - Subscriber+ Arbitrary Options Deletion
https://notcve.org/view.php?id=CVE-2022-2382
26 Jul 2022 — The Product Slider for WooCommerce WordPress plugin before 2.5.7 has flawed CSRF checks and lack authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber to call them. One in particular could allow them to delete arbitrary blog options. El plugin Product Slider for WooCommerce de WordPress versiones anteriores a 2.5.7, presenta comprobaciones de tipo CSRF fallidas y carece de autorización en algunas de sus acciones AJAX, lo que permite a cualquier usuario autenticado, ... • https://wpscan.com/vulnerability/777d4637-444b-4eda-bc21-95d3a3bf6cd3 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24738 – Logo Carousel < 3.4.2 - Contributor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24738
22 Nov 2021 — The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks El plugin Logo Carousel de WordPress versiones anteriores a 3.4.2, no comprueba ni escapa de la opción de carrusel "Logo Margin", lo que podría permitir a usuarios con un rol tan bajo como el de Colaborador llevar a cabo ataques de tipo Cross-Site Scripting Almacenado • https://wpscan.com/vulnerability/2c3d8c21-ecd4-41ba-8183-2ecbd9a3df25 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24739 – Logo Carousel < 3.4.2 - Unauthorised Private Post Access
https://notcve.org/view.php?id=CVE-2021-24739
22 Nov 2021 — The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature El plugin Logo Carousel de WordPress versiones anteriores a 3.4.2, permite a usuarios con un rol tan bajo como el de Contribuyente duplicar y visualizar publicaciones privadas arbitrarias hechas por otros usuarios por medio de la función Carousel Duplication • https://wpscan.com/vulnerability/2afadc76-93ad-47e1-a224-e442ac41cbce • CWE-285: Improper Authorization CWE-639: Authorization Bypass Through User-Controlled Key •