CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2021-24960 – WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Malicious SVG
https://notcve.org/view.php?id=CVE-2021-24960
The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks El plugin WordPress File Upload de WordPress versiones anteriores a 4.16.3, el plugin wordpress-file-upload-pro de WordPress versiones anteriores a 4.16.3, permite a usuarios con un rol tan bajo como el de Contributor configurar el formulario de subida de una manera que permite subir archivos SVG, que podrían ser usados para ataques de tipo Cross-Site Scripting • https://plugins.trac.wordpress.org/changeset/2677722 https://wpscan.com/vulnerability/18902832-2973-498d-808e-c75d1aedc11e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2021-24961 – WordPress File Upload < 4.16.3 - Contributor+ Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2021-24961
The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks El plugin File Upload WordPress de WordPress versiones anteriores a 4.16.3, el plugin wordpress-file-upload-pro de WordPress versiones anteriores a 4.16.3, no escapa a algunos de sus argumentos de shortcode, lo que podría permitir a usuarios con un rol tan bajo como el de Contributor llevar a cabo ataques de tipo Cross-Site Scripting • https://plugins.trac.wordpress.org/changeset/2677722 https://wpscan.com/vulnerability/c911bbbd-0196-4e3d-ada3-4efb8a339954 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 5%CPEs: 1EXPL: 1CVE-2020-10564 – WordPress File Upload <= 4.12.2 - Directory Traversal to Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-10564
An issue was discovered in the File Upload plugin before 4.13.0 for WordPress. A directory traversal can lead to remote code execution by uploading a crafted txt file into the lib directory, because of a wfu_include_lib call. Se detectó un problema en el plugin File Upload versiones anteriores a 4.13.0 para WordPress. Un salto de directorio puede conllevar a una ejecución de código remota al cargar un archivo txt diseñado en el directorio lib, debido a una llamada de la función wfu_include_lib. • https://github.com/beerpwn/CVE/tree/master/WP-File-Upload_disclosure_report https://wordpress.org/plugins/wp-file-upload/#developers https://wpvulndb.com/vulnerabilities/10132 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-9844 – WordPress File Upload <= 4.3.3 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-9844
The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS. El plugin Iptanus WordPress File Upload en versiones anteriores a la 4.3.4 para WordPress gestiona de manera incorrecta los atributos Settings, lo que conduce a Cross-Site Scripting (XSS). The WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS. • https://www.exploit-db.com/exploits/44444 https://wordpress.org/plugins/wp-file-upload/#developers https://www.iptanus.com/new-version-4-3-4-of-wordpress-file-upload-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-9172 – WordPress File Upload <= 4.3.2 - Cross-Site Scripting via Shortcodes
https://notcve.org/view.php?id=CVE-2018-9172
The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress mishandles shortcode attributes. El plugin WordPress File Upload en versiones anteriores a la 4.3.3 de Iptanus para WordPress gestiona de manera incorrecta los atributos shortcode. WordPress File Upload plugin version 4.3.2 suffers from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/44443 https://wordpress.org/plugins/wp-file-upload/#developers https://www.iptanus.com/new-version-4-3-3-of-wordpress-file-upload-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •