CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5147 – WPZOOM Addons for Elementor (Templates, Widgets) <= 1.1.37 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-5147
The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.37 via the 'grid_style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. El complemento WPZOOM Addons for Elementor (Plantillas, Widgets) para WordPress es vulnerable a la inclusión de archivos locales en todas las versiones hasta la 1.1.37 incluida a través del parámetro 'grid_style'. Esto hace posible que atacantes no autenticados incluyan y ejecuten archivos arbitrarios en el servidor, permitiendo la ejecución de cualquier código PHP en esos archivos. • https://plugins.trac.wordpress.org/browser/wpzoom-elementor-addons/trunk/includes/wpzoom-elementor-ajax-posts-grid.php#L105 https://plugins.trac.wordpress.org/browser/wpzoom-elementor-addons/trunk/includes/wpzoom-elementor-ajax-posts-grid.php#L112 https://plugins.trac.wordpress.org/changeset/3090236#file6 https://www.wordfence.com/threat-intel/vulnerabilities/id/f006bb33-d017-445b-9c02-bd848c199671?source=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4370 – WPZOOM Addons for Elementor (Templates, Widgets) <= 1.1.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Box Widget
https://notcve.org/view.php?id=CVE-2024-4370
The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget Image Box in all versions up to, and including, 1.1.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento WPZOOM Addons for Elementor (Plantillas, Widgets) para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del widget Image Box del complemento en todas las versiones hasta la 1.1.36 incluida debido a una sanitización de entrada insuficiente y a un escape de salida proporcionado por el usuario. atributos. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/wpzoom-elementor-addons/trunk/includes/widgets/image-box/image-box.php#L1229 https://plugins.trac.wordpress.org/changeset/3084540 https://wordpress.org/plugins/wpzoom-elementor-addons/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/c7aaff3e-0c81-4fe7-b162-569c517f6c49?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33539 – WordPress WPZOOM Addons for Elementor plugin <= 1.1.35 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-33539
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Addons for Elementor (Templates, Widgets) allows Stored XSS.This issue affects WPZOOM Addons for Elementor (Templates, Widgets): from n/a through 1.1.35. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Cross-site Scripting') en WPZOOM WPZOOM Addons for Elementor (Templates, Widgets) permiten almacenar XSS. Este problema afecta a los complementos de WPZOOM para Elementor (plantillas, widgets): desde n/a hasta 1.1.35. The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 1.1.35 due to insufficient input sanitization and output escaping on user supplied attributes like 'title_tag.' This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/wpzoom-elementor-addons/wordpress-wpzoom-addons-for-elementor-plugin-1-1-35-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3662 – WPZOOM Social Feed Widget & Block <= 2.1.13 - Missing Authorization to Authenticated (Subscriber+) Instagram Image Deletion
https://notcve.org/view.php?id=CVE-2024-3662
The WPZOOM Social Feed Widget & Block plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpzoom_instagram_clear_data() function in all versions up to, and including, 2.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete all Instagram images installed on the site. El complemento WPZOOM Social Feed Widget & Block para WordPress es vulnerable al acceso no autorizado debido a una falta de verificación de capacidad en la función wpzoom_instagram_clear_data() en todas las versiones hasta la 2.1.13 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen todas las imágenes de Instagram instaladas en el sitio. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3069664%40instagram-widget-by-wpzoom&new=3069664%40instagram-widget-by-wpzoom&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/e3a70510-51c8-49c3-933b-79e79dfb8611?source=cve • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30464 – WordPress Social Icons Widget & Block by WPZOOM plugin <= 4.2.15 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-30464
Missing Authorization vulnerability in WPZOOM Social Icons Widget & Block by WPZOOM.This issue affects Social Icons Widget & Block by WPZOOM: from n/a through 4.2.15. Vulnerabilidad de autorización faltante en WPZOOM Social Icons Widget & Block de WPZOOM. Este problema afecta a Social Icons Widget & Block de WPZOOM: desde n/a hasta 4.2.15. The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the zoom_ajax_set_pointer_transient() function in versions up to, and including, 4.2.15. This makes it possible for authenticated attackers, with subscriber-level access and above, to set pointer transients. • https://patchstack.com/database/vulnerability/social-icons-widget-by-wpzoom/wordpress-social-icons-widget-block-by-wpzoom-plugin-4-2-15-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •