CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50527 – WordPress Stacks Mobile App Builder plugin <= 5.2.3 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-50527
Unrestricted Upload of File with Dangerous Type vulnerability in Stacks Stacks Mobile App Builder allows Upload a Web Shell to a Web Server.This issue affects Stacks Mobile App Builder: from n/a through 5.2.3. The Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 5.2.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/stacks-mobile-app-builder/wordpress-stacks-mobile-app-builder-plugin-5-2-3-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50528 – WordPress Stacks Mobile App Builder plugin <= 5.2.3 - Sensitive Data Exposure vulnerability
https://notcve.org/view.php?id=CVE-2024-50528
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Stacks Stacks Mobile App Builder allows Retrieve Embedded Sensitive Data.This issue affects Stacks Mobile App Builder: from n/a through 5.2.3. The Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.3. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data. • https://patchstack.com/database/vulnerability/stacks-mobile-app-builder/wordpress-stacks-mobile-app-builder-plugin-5-2-3-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-50477 – WordPress Stacks Mobile App Builder plugin <= 5.2.3 - Account Takeover vulnerability
https://notcve.org/view.php?id=CVE-2024-50477
Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.This issue affects Stacks Mobile App Builder: from n/a through 5.2.3. The Stacks Mobile App Builder – The most powerful Mobile Applications Drag and Drop builder plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.2.3. This is due to the plugin not properly verifying a user's identity prior to authenticating them via the receive_request_checkout() function. This makes it possible for unauthenticated attackers to log in as any user based on user ID. • https://github.com/RandomRobbieBF/CVE-2024-50477 https://patchstack.com/database/vulnerability/stacks-mobile-app-builder/wordpress-stacks-mobile-app-builder-plugin-5-2-3-account-takeover-vulnerability?_s_id=cve • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32565 – WordPress App Builder plugin <= 3.8.8 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-32565
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Appcheap.Io App Builder allows Stored XSS.This issue affects App Builder: from n/a through 3.8.8. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Appcheap.Io App Builder permite almacenar XSS. Este problema afecta a App Builder: desde n/a hasta 3.8.8. The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/app-builder/wordpress-app-builder-plugin-3-8-8-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31282 – WordPress App Builder plugin <= 3.8.7 - Open Redirection vulnerability
https://notcve.org/view.php?id=CVE-2024-31282
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Appcheap.Io App Builder.This issue affects App Builder: from n/a through 3.8.7. The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.8.7. This is due to insufficient validation on the redirect url supplied via the 'url' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. • https://patchstack.com/database/vulnerability/app-builder/wordpress-app-builder-plugin-3-8-7-open-redirection-vulnerability?_s_id=cve • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •