Page 3 of 15 results (0.002 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting El plugin WP Popup Builder de WordPress antes de la versión 1.2.9 no sanea y escapa de un parámetro antes de devolverlo a la página, lo que lleva a un Reflected Cross-Site Scripting The WP Popup Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/0d889dde-b9d5-46cf-87d3-4f8a85cf9b98 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup El plugin WP Popup Builder WordPress antes de la versión 1.2.9 no dispone de autorización y comprobación CSRF en una acción AJAX, lo que permite a cualquier usuario autentificado, como los suscriptores, eliminar Popups arbitrarios The WP Popup Builder plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.9. This is due to missing or incorrect nonce validation and capabilities checks on several of its functions available to unauthenticated users. This makes it possible for unauthenticated attackers to create, update, and delete popups. • https://wpscan.com/vulnerability/50037028-2790-47ee-aae1-faf0724eb917 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •

CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1

The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.4 doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings El complemento de WordPress Contact Form & Lead Form Elementor Builder anterior a 1.7.4 no tiene autorización ni comprobaciones nonce, lo que podría permitir a cualquier usuario autenticado, como el suscriptor, actualizar y cambiar varias configuraciones. The Contact Form & Lead Form Elementor Builder plugin for WordPress is vulnerable to Arbitrary Settings Change in versions before 1.7.4. This is due to missing capabilities checks on several functions. This makes it possible for authenticated attackers with subscriber-level privileges or above to arbitrarily change plugin settings. • https://plugins.trac.wordpress.org/changeset/2670484 https://wpscan.com/vulnerability/da87358a-3a72-4cf7-a2af-a266dd9b4290 • CWE-862: Missing Authorization •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed El complemento de WordPress Contact Form & Lead Form Elementor Builder anterior a 1.7.0 no escapa de algunos de sus campos de formulario antes de mostrarlos en atributos, lo que podría permitir a usuarios con altos privilegios realizar ataques de cross site scripting incluso cuando la capacidad unfiltered_html no está permitida. The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to 1.7.0 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/90b8af99-e4a1-4076-99fa-efe805dd4be4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads El plugin Contact Form & Lead Form Elementor Builder de WordPress versiones anteriores a 1.6.4, no sanea ni escapa de algunos valores de leads, lo que podría permitir a usuarios no autenticados llevar a cabo ataques de tipo Cross-Site Scripting contra el administrador que haya iniciado la sesión y visualice los Leads insertados • https://wpscan.com/vulnerability/4e165122-4746-42de-952e-a3bf51393a74 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •