Page 2 of 12 results (0.001 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Paul Ryley Site Reviews plugin <= 6.5.1 versions. The Site Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 6.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/site-reviews/wordpress-site-reviews-plugin-6-5-1-cross-site-scripting-xss-vulnerability-2?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Paul Ryley Site Reviews plugin <= 6.5.1 versions. The Site Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attribute(s) in versions up to, and including, 6.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/site-reviews/wordpress-site-reviews-plugin-6-5-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

The Site Reviews plugin for WordPress is vulnerable to setting modification and information disclosure due to lack of capability checks in a variety of functions, including rollbackPluginAjax, downloadConsole, downloadSystemInfo and exportSettings in versions up to, and including, 6.5.1. These functions are also vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation. This makes it possible for authenticated attackers with subscriber-level access, and above, to tamper with the console logging level amongst other actions like rolling back the plugin's version. • CWE-862: Missing Authorization •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

Improper Neutralization of Formula Elements in a CSV File vulnerability in Paul Ryley Site Reviews.This issue affects Site Reviews: from n/a through 6.2.0. Neutralización inadecuada de elementos de fórmula en una vulnerabilidad de CSV File en Paul Ryley Site Reviews. Este problema afecta a Site Reviews: desde n/a hasta 6.2.0. The Site Reviews plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.2.0. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. • https://patchstack.com/database/vulnerability/site-reviews/wordpress-site-reviews-plugin-6-2-0-unauth-csv-injection-vulnerability?_s_id=cve • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parameter of the glsr_action AJAX action (available to unauthenticated and any authenticated users), allowing them to perform Cross-Site Scripting attacks against logged in admins viewing the Tool dashboard of the plugin El plugin Site Reviews de WordPress versiones anteriores a 5.17.3, no sanea ni escapa el parámetro site-reviews de la acción AJAX glsr_action (disponible para usuarios no autenticados y para cualquier usuario autenticado), permitiéndoles llevar a cabo ataques de tipo Cross-Site Scripting contra administradores registrados que visualicen el panel de herramientas del plugin • https://plugins.trac.wordpress.org/changeset/2629821 https://wpscan.com/vulnerability/0118f245-0e6f-44c1-9bdb-5b3a5d2403d6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •