CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0559 – Enhanced Text Widget < 1.6.6 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-0559
The Enhanced Text Widget WordPress plugin before 1.6.6 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El complemento Enhanced Text Widget de WordPress anterior a 1.6.6 no valida ni escapa algunas de sus opciones de widget antes de devolverlas en atributos, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en una configuración multisitio) The Enhanced Text Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget options in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://research.cleantalk.org/cve-2024-0559 https://wpscan.com/vulnerability/b257daf2-9540-4a0f-a560-54b47d2b913f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0951 – Advanced Social Feeds Widget & Shortcode <= 1.7 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-0951
The Advanced Social Feeds Widget & Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El complemento Advanced Social Feeds Widget & Shortcode de WordPress hasta la versión 1.7 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en una configuración multisitio) The Advanced Social Feeds Widget & Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/88b2e479-eb15-4213-9df8-3d353074974e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0780 – Enjoy Social Feed <= 6.2.2 - Subscriber+ Plugin Database Reset
https://notcve.org/view.php?id=CVE-2024-0780
The Enjoy Social Feed plugin for WordPress website WordPress plugin through 6.2.2 does not have authorisation when resetting its database, allowing any authenticated users, such as subscriber to perform such action El complemento Enjoy Social Feed plugin for WordPress website de WordPress hasta 6.2.2 no tiene autorización para restablecer su base de datos, lo que permite que cualquier usuario autenticado, como un suscriptor, realice dicha acción. The Enjoy Social Feed plugin for WordPress website plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check when accessing the enjoyinstagram_plugin_options page in all versions up to, and including, 6.2.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to reset the plugin's database. • https://wpscan.com/vulnerability/be3045b1-72e6-450a-8dd2-4702a9328447 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0779 – Enjoy Social Feed <= 6.2.2 - Unauthenticated Arbitrary Instagram Account Unlinking
https://notcve.org/view.php?id=CVE-2024-0779
The Enjoy Social Feed plugin for WordPress website WordPress plugin through 6.2.2 does not have authorisation and CSRF in various function hooked to admin_init, allowing unauthenticated users to call them and unlink arbitrary users Instagram Account for example El complemento Enjoy Social Feed plugin for WordPress website de WordPress hasta 6.2.2 no tiene autorización ni CSRF en varias funciones vinculadas a admin_init, lo que permite a usuarios no autenticados llamarlos y desvincular cuentas de Instagram de usuarios arbitrarios, por ejemplo. The Enjoy Social Feed plugin for WordPress website plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions hooked via admin_init in all versions up to, and including, 6.2.2. This makes it possible for unauthenticated attackers to perform actions like unlinking a users instagram account. • https://wpscan.com/vulnerability/ced134cf-82c5-401b-9476-b6456e1924e2 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0719 – Tabs Shortcode and Widget <= 1.17 - Contributor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-0719
The Tabs Shortcode and Widget WordPress plugin through 1.17 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks El complemento Tabs Shortcode and Widget de WordPress hasta la versión 1.17 no valida ni escapa algunos de sus atributos de shortcode antes de devolverlos a una página/publicación donde está incrustado el shortcode, lo que podría permitir a los usuarios con el rol de colaborador y superior realizar un ataque de Cross-Site Scripting Almacenado The Tabs Shortcode and Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.17 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/6e67bf7f-07e6-432b-a8f4-aa69299aecaf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •