Page 3 of 14 results (0.005 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Request Forgery (CSRF) vulnerability in Shortcodes Ultimate plugin <= 5.12.0 at WordPress leading to plugin preset settings change. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin Shortcodes Ultimate versiones anteriores a 5.12.0 incluyéndola en WordPress, conllevando a un cambio de la configuración del plugin The Shortcodes Ultimate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.12.0. This is due to missing or incorrect nonce validation on the ajax_remove_preset() and ajax_get_preset() functions. This makes it possible for unauthenticated attackers to make preset changes via forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/shortcodes-ultimate/wordpress-shortcodes-ultimate-plugin-5-12-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve https://wordpress.org/plugins/shortcodes-ultimate/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute). El plugin Shortcodes Ultimate de WordPress versiones anteriores a 5.10.2, permite a usuarios con roles de Colaborador llevar a cabo un ataque de tipo XSS almacenado por medio de los atributos de los shortcodes. Nota: el plugin es inconsistente en su manejo de los atributos del shortcode; algunos escapan, la mayoría no, e incluso se presentan algunos atributos que no son seguros por diseño (como el atributo onclick de [su_button]) • https://wpscan.com/vulnerability/7f5659bd-50c3-4725-95f4-cf88812acf1c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote code execution via a filter in a meta, post, or user shortcode. El complemento shortcodes-ultimate en versiones anterior a 5.0.1 para WordPress tiene ejecución remota de código a través de un filtro en un meta, publicación o shortcode de usuario. • https://wordpress.org/plugins/shortcodes-ultimate/#developers • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

Directory traversal vulnerability in Shortcodes Ultimate prior to version 4.10.0 allows remote attackers to read arbitrary files via unspecified vectors. Una vulnerabilidad de salto de directorio en Shortcodes Ultimate en versiones anteriores a la 4.10.0 permite que atacantes remotos lean archivos arbitrarios mediante vectores sin especificar. • http://www.securityfocus.com/bid/99495 https://jvn.jp/en/jp/JVN63249051/index.html https://plugins.trac.wordpress.org/changeset/1684377/#file217 https://wordpress.org/plugins/shortcodes-ultimate/#developers • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •