CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-1692 – CP Image Store with Slideshow < 1.0.68 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-1692
The CP Image Store with Slideshow WordPress plugin before 1.0.68 does not sanitise and escape the ordering_by query parameter before using it in a SQL statement in pages where the [codepeople-image-store] is embed, allowing unauthenticated users to perform an SQL injection attack El plugin CP Image Store with Slideshow de WordPress versiones anteriores a 1.0.68, no sanea ni escapa del parámetro de consulta ordering_by antes de usarlo en una sentencia SQL en las páginas en las que el [codepeople-image-store] está insertado, permitiendo a usuarios no autenticados llevar a cabo un ataque de inyección SQL • https://bulletin.iese.de/post/cp-image-store_1-0-67 https://wpscan.com/vulnerability/83bae80c-f583-4d89-8282-e6384bbc7571 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 2CVE-2022-0448 – CP Blocks < 1.0.15 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0448
The CP Blocks WordPress plugin before 1.0.15 does not sanitise and escape its "License ID" settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. El plugin CP Blocks de WordPress versiones anteriores a 1.0.15, no sanea ni escapa de su configuración "License ID", lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando el unfiltered_html no está autorizado The CP Blocks WordPress plugin before 1.0.15 does not sanitise and escape its "License ID" settings, which could allow high privilege users to inject arbitrary web scripts that execute in a victim's browser even when the unfiltered_html is disallowed. WordPress CP Blocks plugin version 1.0.14 suffers from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/50724 https://wpscan.com/vulnerability/d4ff63ee-28e6-486e-9aa7-c878b97f707c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24712 – Appointment Hour Booking – WordPress Booking Plugin < 1.3.17 - Authenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-24712
The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars. El plugin Appointment Hour Booking de WordPress versiones anteriores a 1.3.17, no sanea correctamente los valores usados cuando se crean nuevos calendarios • https://wpscan.com/vulnerability/e677e51b-0d3f-44a5-9fcd-c159786b9926 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24673 – Appointment Hour Booking < 1.3.16 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24673
The Appointment Hour Booking WordPress plugin before 1.3.16 does not escape some of the Calendar Form settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Appointment Hour Booking de WordPress versiones anteriores a 1.3.16, no escapa a algunos de los ajustes del formulario del calendario, que permite a usuarios con privilegios elevados llevar a cabo ataques de tipo Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no está permitida • https://wpscan.com/vulnerability/75a67932-d831-4dfb-a70d-a07650eaa755 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24498 – Calendar Event Multi View < 1.4.01 - Unauthenticated Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24498
The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php), leading to a reflected Cross-Site Scripting issue. El plugin de WordPress Calendar Event Multi View versiones anteriores a 1.4.01, no sanea o escapa de los parámetros GET "start" y "end" antes de mostrarlos en la página (por medio de el archivo php/edit.php), conllevando a un problema de tipo Cross-Site Scripting reflejado The Calendar Event Multi View for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘'start' and 'end' parameters in versions up to, and including, 1.3.99 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/3c5a5187-42b3-4f88-9b0e-4fdfa1c39e86 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •