CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25703 – WordPress Meta slider and carousel with lightbox plugin <= 1.6.2 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-25703
15 Feb 2023 — Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Meta slider and carousel with lightbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Meta slider and carousel with lightbox: from n/a through 1.6.2. The Meta Slider and Carousel with Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.2. This is due to missing or incorrect nonce validation on the 'wp_igsp_get_attachment_edit_form' ... • https://patchstack.com/database/wordpress/plugin/meta-slider-and-carousel-with-lightbox/vulnerability/wordpress-meta-slider-and-carousel-with-lightbox-plugin-1-6-2-broken-access-control?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22718 – WordPress User Meta Manager Plugin <= 3.4.9 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-22718
19 Jan 2023 — Reflected Cross-Site Scripting (XSS) vulnerability in Jason Lau User Meta Manager plugin <= 3.4.9 versions. The User Meta Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.4.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Reflected Cros... • https://patchstack.com/database/vulnerability/user-meta-manager/wordpress-user-meta-manager-plugin-3-4-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23712 – WordPress User Meta Manager Plugin <= 3.4.9 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-23712
10 Jan 2023 — Cross-Site Request Forgery (CSRF) vulnerability in User Meta Manager plugin <= 3.4.9 versions. The User Meta Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.9. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action granted they can trick a site administrator into performing an action such as clicking on a link. The impact of this vulnerability... • https://patchstack.com/database/vulnerability/user-meta-manager/wordpress-user-meta-manager-plugin-3-4-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 12%CPEs: 1EXPL: 2CVE-2022-0779 – User Meta < 2.4.4 - Subscriber+ Local File Enumeration via Path Traversal
https://notcve.org/view.php?id=CVE-2022-0779
16 May 2022 — The User Meta WordPress plugin before 2.4.4 does not validate the filepath parameter of its um_show_uploaded_file AJAX action, which could allow low privileged users such as subscriber to enumerate the local files on the web server via path traversal payloads El plugin User Meta de WordPress versiones anteriores a 2.4.4, no comprueba el parámetro filepath de su acción AJAX um_show_uploaded_file, lo que podría permitir a usuarios con pocos privilegios, como el suscriptor, enumerar los archivos locales en el ... • https://packetstorm.news/files/id/167297 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0376 – User Meta < 2.4.3 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0376
09 May 2022 — The User Meta WordPress plugin before 2.4.3 does not sanitise and escape the Form Name, as well as Shared Field Labels before outputting them in the admin dashboard when editing a form, which could allow high privilege users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El plugin User Meta de WordPress versiones anteriores a 2.4.3, no sanea ni escapa el nombre del formulario, así como las etiquetas de los campos compartidos antes de mostrarlos en el panel de administración ... • https://wpscan.com/vulnerability/a3ca2ed4-11ea-4d78-aa4c-4ed58f258932 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0701 – SEO 301 Meta <= 1.9.1 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0701
21 Feb 2022 — The SEO 301 Meta WordPress plugin through 1.9.1 does not escape its Request and Destination settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed El plugin SEO 301 Meta de WordPress versiones hasta 1.9.1, no escapa a su configuración de Petición y Destino, permitiendo a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_h... • https://wpscan.com/vulnerability/68882f81-12d3-4e98-82ff-6754ac4ccfa1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24859 – User Meta Shortcodes <= 0.5 - Contributor+ Unauthorized Arbitrary User Metadata Access
https://notcve.org/view.php?id=CVE-2021-24859
15 Nov 2021 — The User Meta Shortcodes WordPress plugin through 0.5 registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes El plugin User Meta Shortcodes de WordPress versiones hasta 0.5, registra un shortcode que permite a cualquier usuario con un rol tan bajo como el de colaborador acceder a los metadatos de otros usuarios al especific... • https://wpscan.com/vulnerability/958f44a5-07e7-4349-9212-2a039a082ba0 • CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24611 – Keywords & Meta <= 3.0 - CSRF to Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24611
09 Aug 2021 — The Keyword Meta WordPress plugin through 3.0 does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF attack. El plugin Keyword Meta WordPress versiones hasta 3.0, no sanea ni escapa sus ajustes antes de devolverlos a la página después de ser guardados, permitiendo problemas de tipo... • https://wpscan.com/vulnerability/b4a2e595-6971-4a2a-a346-ac4445a5e0cd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 1%CPEs: 1EXPL: 1CVE-2021-24451 – Export Users With Meta < 0.6.5 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24451
21 Jun 2021 — The Export Users With Meta WordPress plugin before 0.6.5 did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection. El plugin Export Users With Meta WordPress versiones anteriores a 0.6.5, no escapa de la lista de roles a exportar antes de usarlos en una sentencia SQL en la funcionalidad export, disponible para los administradores, conllevando a una inyección SQL autenticada • https://wpscan.com/vulnerability/40603382-404b-44a2-8212-f2008366891c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-27356 – Debug Meta Data <= 1.1.2 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-27356
20 Oct 2020 — The debug-meta-data plugin 1.1.2 for WordPress allows XSS. El plugin debug-meta-data versión 1.1.2 para WordPress, permite un ataque de tipo XSS The Debug Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on the a user's user-agent HTTP header value. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses a... • https://github.com/ahmadawais/debug-meta-data/blob/master/changelog.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •