CVE-2022-33969 – WordPress Flipbox plugin <= 2.6.0 - Authenticated WordPress Options Change vulnerability
https://notcve.org/view.php?id=CVE-2022-33969
Authenticated WordPress Options Change vulnerability in Biplob Adhikari's Flipbox plugin <= 2.6.0 at WordPress. Una vulnerabilidad de Cambio de Opciones de WordPress Autenticado en el plugin Flipbox de Biplob Adhikari versiones anteriores a 2.6.0 incluyéndola en WordPress The Flipbox – Awesomes Flip Boxes Image Overlay plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 2.6.0. This is due to a lack of validation on the settings supplied to the oxi_settings() function. This makes it possible for authenticated attackers, with administrative level permissions, to update arbitrary options on the WordPress site. This would only affect sites where the administrator has been restricted to not 'manage_options' or the administrator has allowed users with lower permissions to update the plugin's settings. • https://patchstack.com/database/vulnerability/image-hover-effects-ultimate-visual-composer/wordpress-flipbox-plugin-2-6-0-authenticated-wordpress-options-change-vulnerability https://plugins.trac.wordpress.org/changeset/2648808 • CWE-264: Permissions, Privileges, and Access Controls CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2022-34487 – WordPress Shortcode Addons plugin <= 3.0.2 - Unauthenticated Arbitrary Option Update vulnerability
https://notcve.org/view.php?id=CVE-2022-34487
Unauthenticated Arbitrary Option Update vulnerability in biplob018's Shortcode Addons plugin <= 3.0.2 at WordPress. Una vulnerabilidad de actualización de opciones arbitrarias no autenticada en el plugin Shortcode Addons de biplob018 versiones anteriores a 3.0.2 incluyéndola, en WordPress The "Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension" plugin for WordPress is vulnerable to arbitrary options update in versions up to, and including, 3.0.2. This is due to improperly configured capability checking via the permission_callback on the ShortCodeAddonsUltimate/v2/ REST API Endpoint. This makes it possible for unauthenticated attackers to modify arbitrary site options that can be used for complete site takeover. • https://patchstack.com/database/vulnerability/shortcode-addons/wordpress-shortcode-addons-plugin-3-0-3-unauthenticated-arbitrary-option-update-vulnerability https://wordpress.org/plugins/shortcode-addons/#developers • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVE-2022-33198 – WordPress Accordions plugin <= 2.0.2 - Unauthenticated WordPress Options Change vulnerability
https://notcve.org/view.php?id=CVE-2022-33198
Unauthenticated WordPress Options Change vulnerability in Biplob Adhikari's Accordions plugin <= 2.0.2 at WordPress. Una vulnerabilidad de cambio de opciones no autenticada en el plugin Accordions de Biplob Adhikari versiones anteriores a 2.0.2 incluyéndola, en WordPress The Accordions plugin for WordPress is vulnerable to arbitrary options update in versions up to, and including, 2.0.2. This is due to insufficient capability checking and option validation. This makes it possible for unauthenticated attackers to modify arbitrary options on the site and can be used for complete site takeover. • https://patchstack.com/database/vulnerability/accordions-or-faqs/wordpress-accordions-plugin-2-0-2-unauthenticated-wordpress-options-change-vulnerability https://wordpress.org/plugins/accordions-or-faqs/#developers • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVE-2022-29424 – WordPress Image Hover Effects Ultimate plugin <= 9.7.1 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-29424
Authenticated (admin or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in Biplob Adhikari's Image Hover Effects Ultimate plugin <= 9.7.1 at WordPress. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) reflejado y autenticado (rol de administrador o usuario superior) en el plugin Image Hover Effects Ultimate de Biplob Adhikari versiones anteriores a 9.7.1 incluyéndola, en WordPress Authenticated (admin or higher user role) Reflected Cross-Site Scripting (XSS) vulnerability in Biplob Adhikari's Image Hover Effects Ultimate plugin <= 9.7.1 at WordPress. Please note that this is separate from CVE-2021-25031. • https://patchstack.com/database/vulnerability/image-hover-effects-ultimate/wordpress-image-hover-effects-ultimate-plugin-9-7-1-authenticated-reflected-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/image-hover-effects-ultimate/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-25031 – Image Hover Effects Ultimate < 9.7.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25031
The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting El plugin Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) de WordPress versiones anteriores a 9.7.1, no escapa del parámetro effects antes de devolverlo en un atributo en una página de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2648086 https://wpscan.com/vulnerability/1fbcf5ec-498e-4d40-8577-84b8c7ac3201 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •