CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0376 – Qubely < 1.8.5 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0376
The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. El complemento Qubely WordPress anterior a 1.8.5 no valida ni escapa algunas de sus opciones de bloqueo antes de devolverlas a una página/publicación donde está incrustado el bloque, lo que podría permitir a los usuarios con el rol de colaborador y superior realizar ataques de cross site scripting almacenado. The Quebely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in versions up to, and including, 1.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/b1aa6f32-c1d5-4fc6-9a4e-d4c5fae78389 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0236 – Tutor LMS < 2.0.10 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-0236
The Tutor LMS WordPress plugin before 2.0.10 does not sanitise and escape the reset_key and user_id parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin The Tutor LMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'reset_key' and 'user_id' parameters (used by the password retrieval form) in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/503835db-426d-4b49-85f7-c9a20d6ff5b8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3830 – WP Page Builder <= 1.2.8 - Admin+ Stored Cross-Site
https://notcve.org/view.php?id=CVE-2022-3830
The WP Page Builder WordPress plugin through 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). El complemento de WordPress WP Page Builder hasta la versión 1.2.8 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de cross site scripting almacenado incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en la configuración de múltiples sitios). The WP Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for administrator-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/98b2321d-fb66-4e02-9906-63af7b08d647 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40963 – WordPress WP Page Builder plugin <= 1.2.6 - Multiple Auth. Stored Cross-Site Scripting (XSS) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-40963
Multiple Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerabilities in WP Page Builder plugin <= 1.2.6 on WordPress. Multiples vulnerabilidades de Cross-Site Scripting (XSS) Almacenado autenticado (con permisos de autor o superiores) en el complemento WP Page Builder en versiones <= 1.2.6 en WordPress. The WP Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/wp-pagebuilder/wordpress-wp-page-builder-plugin-1-2-6-multiple-auth-stored-cross-site-scripting-xss-vulnerabilities?_s_id=cve https://wordpress.org/plugins/wp-pagebuilder • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2563 – Tutor LMS < 2.0.10 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2563
The Tutor LMS WordPress plugin before 2.0.10 does not escape some course parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El plugin Tutor LMS de WordPress versiones anteriores a 2.0.10, no escapa a algunos parámetros del curso, lo que podría permitir a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting Almacenado, incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en la configuración multisitio) The Tutor LMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the topic name and lesson name parameters in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/98cd761c-7527-4224-965d-d34472b5c19f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •