NotCVE - vendor:"Unknown"

Page 84 of 528 results (0.011 seconds)

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 2

CVE-2024-2729 – Otter Blocks < 2.6.6 - Contributor+ Stored XSS

https://notcve.org/view.php?id=CVE-2024-2729

The Otter Blocks WordPress plugin before 2.6.6 does not properly escape its mainHeadings blocks' attribute before appending it to the final rendered block, allowing contributors to conduct Stored XSS attacks. El complemento Otter Blocks de WordPress anterior a 2.6.6 no escapa correctamente del atributo de sus bloques mainHeadings antes de agregarlo al bloque renderizado final, lo que permite a los contribuyentes realizar ataques XSS almacenados. The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via new post creation in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://github.com/th3gokul/CVE-2024-27292 https://wpscan.com/vulnerability/5014f886-020e-49d1-96a5-2159eed8ba14 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 1

CVE-2024-2118 – Social Media Share Buttons < 2.8.9 - Admin+ Stored XSS via settings

https://notcve.org/view.php?id=CVE-2024-2118

The Social Media Share Buttons & Social Sharing Icons WordPress plugin before 2.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El complemento Social Media Share Buttons & Social Sharing Icons de WordPress anterior a 2.8.9 no desinfecta ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no está permitida ( por ejemplo en configuración multisitio) The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/e9d53cb9-a5cb-49f5-bcba-295ae6fa44c3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 1

CVE-2024-2309 – WP Staging < 3.4.0, 5.4.0 (Pro Version) - Admin+ Stored XSS

https://notcve.org/view.php?id=CVE-2024-2309

The WP STAGING WordPress Backup Plugin WordPress plugin before 3.4.0, wp-staging-pro WordPress plugin before 5.4.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El complemento WP STAGING WordPress Backup Plugin de WordPress anterior a 3.4.0, el complemento de WordPress wp-staging-pro anterior a 5.4.0 no desinfecta ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en configuración multisitio) The WP Staging (Free <= 3.3.3, Pro <= 5.3.3) plugins for WordPress are vulnerable to Stored Cross-Site Scripting via admin settings in various versions due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/a4152818-1e07-46a7-aec4-70f1a1b579a6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

CVE-2024-2102 – Salon booking system < 9.6.3 - Unauthenticated Stored XSS

https://notcve.org/view.php?id=CVE-2024-2102

The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field and 'sms_prefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious script is executed in the admin context. El complemento Salon booking system de WordPress anterior a 9.6.3 no desinfecta adecuadamente ni escapa del campo 'Teléfono móvil' y del parámetro 'sms_prefix' al reservar una cita, lo que permite a los clientes realizar ataques de Cross-Site Scripting Almacenado. La carga útil se activa cuando un administrador visita la página "Reservas" y el script malicioso se ejecuta en el contexto del administrador. The Salon booking system plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sms_prefix' parameter in all versions up to, and including, 9.6.2 due to insufficient input sanitization and output escaping. • https://wpscan.com/vulnerability/3d15f589-956c-4c71-98b1-3ba89d22262c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1

CVE-2024-1219 – Easy Social Feed < 6.5.6 - Contributor+ Stored XSS

https://notcve.org/view.php?id=CVE-2024-1219

The Easy Social Feed WordPress plugin before 6.5.6 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin El complemento Easy Social Feed de WordPress anterior a 6.5.6 no valida ni escapa algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría permitir a los usuarios con un rol tan bajo como colaborador realizar ataques de Cross-Site Scripting Almacenado que podrían ser utilizado contra usuarios con privilegios elevados, como el administrador The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 6.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/ce4ac9c4-d293-4464-b6a0-82ddf8d4860b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

1...82 83 84 85 86