CVSS: 6.4EPSS: 10%CPEs: 1EXPL: 1CVE-2023-2122 – Image Optimizer by 10web < 1.0.27 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-2122
26 Apr 2023 — The Image Optimizer by 10web WordPress plugin before 1.0.27 does not sanitise and escape the iowd_tabs_active parameter before rendering it in the plugin admin panel, leading to a reflected Cross-Site Scripting vulnerability, allowing an attacker to trick a logged in admin to execute arbitrary javascript by clicking a link. The Image Optimizer WD plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iowd_tabs_active' parameter in versions up to, and including, 1.0.26 due to insuffici... • https://wpscan.com/vulnerability/936fd93a-428d-4744-a4fc-c8da78dcbe78 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1427 – Photo Gallery by 10Web < 1.8.15 - Admin+ Path Traversal
https://notcve.org/view.php?id=CVE-2023-1427
21 Mar 2023 — - The Photo Gallery by 10Web WordPress plugin before 1.8.15 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector. The Photo Gallery plugin by 10Web for WordPress is vulnerable to Directory Traversal in versions up to, and including, 1.8.14 via the dir parameter. This allows authenticated attackers with administrator-level permissions to upload files to arbitrary directories on the server. • https://wpscan.com/vulnerability/c8917ba2-4cb3-4b09-8a49-b7c612254946 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0037 – 10WebMapBuilder < 1.0.73 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2023-0037
20 Feb 2023 — The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection The 10Web Map Builder for Google Maps plugin for WordPress is vulnerable to generic SQL Injection via the multiple parameters in versions up to 1.0.72 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL que... • https://bulletin.iese.de/post/wd-google-maps_1-0-72_1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4758 – 10WebMapBuilder < 1.0.72 - Contributor+ Stored XSS via Shortcode
https://notcve.org/view.php?id=CVE-2022-4758
29 Dec 2022 — The 10WebMapBuilder WordPress plugin before 1.0.72 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. El complemento 10WebMapBuilder de WordPress anterior a 1.0.72 no valida ni escapa algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría permitir a los us... • https://wpscan.com/vulnerability/c2c89234-5e9c-47c8-9827-8ab0b10fb7d6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4197 – Sliderby10Web < 1.2.53 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-4197
30 Nov 2022 — The Sliderby10Web WordPress plugin before 1.2.53 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). El complemento Sliderby10Web de WordPress anterior a la versión 1.2.53 no sanitiza ni escapa algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataque... • https://wpscan.com/vulnerability/96818024-57ab-419d-bd46-7d2da98269e6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4058 – Photo Gallery < 1.8.3 - Stored XSS via CSRF
https://notcve.org/view.php?id=CVE-2022-4058
28 Nov 2022 — The Photo Gallery by 10Web WordPress plugin before 1.8.3 does not validate and escape some parameters before outputting them back in in JS code later on in another page, which could lead to Stored XSS issue when an attacker makes a logged in admin open a malicious URL or page under their control. El complemento Photo Gallery de 10Web para WordPress anterior a 1.8.3 no valida ni escapa algunos parámetros antes de volver a generarlos en código JS más adelante en otra página, lo que podría provocar un problema... • https://wpscan.com/vulnerability/89656cb3-4611-4ae7-b7f8-1b22eb75cfc4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3300 – Form Maker by 10Web < 1.15.6 - Admin+ SQLI
https://notcve.org/view.php?id=CVE-2022-3300
29 Sep 2022 — The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin El plugin Form Maker by 10Web de WordPress versiones anteriores a 1.15.6, no sanea y escapa apropiadamente de un parámetro antes de usarlo en una sentencia SQL, conllevando a una inyección SQL explotable por usuarios con altos privilegios, como el administrador The Form Maker plugin for WordPr... • https://wpscan.com/vulnerability/ddc9ed69-d942-4fad-bbf4-1be3b86460d9 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1394 – Photo Gallery < 1.6.4 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1394
16 May 2022 — The Photo Gallery by 10Web WordPress plugin before 1.6.4 does not properly validate and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed El plugin Photo Gallery by 10Web de WordPress versiones anteriores a 1.6.4, no comprueba ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios, como los administradores, llevar a cabo ataques de tipo Cross-Site Scripting ... • https://wpscan.com/vulnerability/f7a0df37-3204-4926-84ec-2204a2f22de3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1564 – Form Maker By 10Web < 1.14.12 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1564
09 May 2022 — The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El plugin Form Maker by 10Web de WordPress versiones anteriores a 1.14.12, no sanea ni escapa de la configuración del Texto Personalizado, lo que podría permitir a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting... • https://wpscan.com/vulnerability/a487c7e7-667c-4c92-a427-c43cc13b348d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1320 – Sliderby10Web < 1.2.52 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1320
26 Apr 2022 — The Sliderby10Web WordPress plugin before 1.2.52 does not properly sanitize and escape some of its settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El plugin Sliderby10Web de WordPress versiones anteriores a 1.2.52 no sanea ni escapa correctamente de algunos de sus parámetros, lo que podría permitir a los usuarios con altos privilegios, como los administradores, llevar a cabo ataques de Cross-Site Scripting inclus... • https://wpscan.com/vulnerability/43581d6b-333a-48d9-a1ae-b9479da8ff87 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •