NotCVE - vendor:"Automattic" product:"Activitypub"

4 results (0.003 seconds)

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1

CVE-2023-3746 – ActivityPub for WordPress < 1.0.1 - Contributor+ Stored XSS

https://notcve.org/view.php?id=CVE-2023-3746

25 Sep 2023 — The ActivityPub WordPress plugin before 1.0.0 does not sanitize and escape some data from post content, which could allow contributor and above role to perform Stored Cross-Site Scripting attacks El complemento ActivityPub de WordPress anterior a 1.0.0 no sanitiza ni escapa algunos datos del contenido de la publicación, lo que podría permitir que el colaborador y el rol superior realicen ataques de Cross-Site Scripting almacenados. The ActivityPub plugin for WordPress is vulnerable to Stored Cross-Site Scri... • https://wpscan.com/vulnerability/c15a6032-6495-47a8-828c-37e55ed9665a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1

CVE-2023-5057 – ActivityPub for WordPress < 1.0.0 - Contributor+ Stored XSS

https://notcve.org/view.php?id=CVE-2023-5057

25 Sep 2023 — The ActivityPub WordPress plugin before 1.0.0 does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks El complemento ActivityPub de WordPress anterior a 1.0.0 no escapa a los metadatos del usuario antes de mostrarlos en menciones, lo que podría permitir a los usuarios con un rol de Colaborador y superior realizar ataques XSS almacenados. The ActivityPub plugin for WordPress is vulnerable to Stored Cross-Site... • https://wpscan.com/vulnerability/58a63507-f0fd-46f1-a80c-6b1c41dddcf5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1

CVE-2023-3706 – ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Title Disclosure

https://notcve.org/view.php?id=CVE-2023-3706

25 Sep 2023 — The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post (such as draft and private) via an IDOR vector El complemento ActivityPub de WordPress anterior a 1.0.0 no garantiza que los títulos de las publicaciones que se mostrarán sean públicos y pertenezcan al complemento, lo que permite a cualquier usuario autenticado, como un suscriptor, recup... • https://wpscan.com/vulnerability/daa4d93a-f8b1-4809-a18e-8ab63a05de5a • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1

CVE-2023-3707 – ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Content Disclosure

https://notcve.org/view.php?id=CVE-2023-3707

25 Sep 2023 — The ActivityPub WordPress plugin before 1.0.0 does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the content of arbitrary post (such as draft and private) via an IDOR vector. Password protected posts are not affected by this issue. El complemento ActivityPub de WordPress anterior a 1.0.0 no garantiza que los contenidos de las publicaciones que se mostrarán sean públicos y pertenezcan al complemento, lo que p... • https://wpscan.com/vulnerability/541bbe4c-3295-4073-901d-763556269f48 • CWE-639: Authorization Bypass Through User-Controlled Key •