CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5110 – BSK PDF Manager <= 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2023-5110
23 Oct 2023 — The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'bsk-pdfm-category-dropdown' shortcode in versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento BSK PDF Manager para WordPress es vulnerab... • https://plugins.trac.wordpress.org/browser/bsk-pdf-manager/trunk/classes/shortcodes/category/category-dropdown.php?rev=2885460#L36 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24860 – BSK PDF Manager < 3.1.2 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24860
01 Nov 2021 — The BSK PDF Manager WordPress plugin before 3.1.2 does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection issue El plugin BSK PDF Manager de WordPress versiones anteriores a 3.1.2, no comprueba ni escapa los parámetros orderby y order antes de usarlos en una sentencia SQL, conllevando a un problema de inyección SQL • https://wpscan.com/vulnerability/d5891973-37d0-48cb-a5a3-a26c771b3369 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.9EPSS: 1%CPEs: 1EXPL: 3CVE-2014-4944 – BSK PDF Manager <= 1.4 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2014-4944
14 Jul 2014 — Multiple SQL injection vulnerabilities in inc/bsk-pdf-dashboard.php in the BSK PDF Manager plugin 1.3.2 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) categoryid or (2) pdfid parameter to wp-admin/admin.php. Múltiples vulnerabilidades de inyección SQL en inc/bsk-pdf-dashboard.php en el plugin BSK PDF Manager 1.3.2 para WordPress permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro (1) categoryid o (2) pdfid en wp-admi... • https://www.exploit-db.com/exploits/39240 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •