CVE-2024-9849 – 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin <= 4.6 - Authenticated (Author+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9849
The 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.6. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.8. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/real3d-flipbook-lite/tags/4.6/includes/plugin-admin.php#L77 https://www.wordfence.com/threat-intel/vulnerabilities/id/1f99b366-1a94-41ed-813a-bb13893604d0?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-37215 – WordPress Transition Slider – Responsive Image Slider and Gallery plugin <= 2.20.3 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-37215
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in creativeinteractivemedia Transition Slider – Responsive Image Slider and Gallery allows Stored XSS.This issue affects Transition Slider – Responsive Image Slider and Gallery: from n/a through 2.20.3. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en creativeinteractivemedia Transition Slider – Responsive Image Slider and Gallery permite XSS almacenado. Este problema afecta a Transition Slider – Responsive Image Slider and Gallery: desde n/a hasta 2.20.3. The Transition Slider – Responsive Image Slider and Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.20.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/transition-slider-lite/wordpress-transition-slider-responsive-image-slider-and-gallery-plugin-2-20-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-10965 – Real3D Flipbook <= 1.0.0 - Directory Traversal
https://notcve.org/view.php?id=CVE-2016-10965
The real3d-flipbook-lite plugin 1.0 for WordPress has deleteBook=../ directory traversal for file deletion. El plugin real3d-flipbook-lite versión 1.0 para WordPress, presenta un salto de directorio de deleteBook=../ para la eliminación de archivos. • https://mukarramkhalid.com/wordpress-real-3d-flipbook-plugin-exploit https://wordpress.org/plugins/real3d-flipbook-lite/#developers • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2016-10966 – Real3D Flipbook <= 1.0.0 - File Upload to User Controlled Location
https://notcve.org/view.php?id=CVE-2016-10966
The real3d-flipbook-lite plugin 1.0 for WordPress has bookName=../ directory traversal for file upload. El plugin real3d-flipbook-lite versión 1.0 para WordPress, presenta un salto de directorio de bookName=../ para la carga de archivos. The Real3D Flipbook plugin for WordPress is vulnerable to file uploads to user controlled locations due to missing directory validation in the 'bookName' parameter in versions up to, and including, 1.0.0 This makes it possible for attackers to upload files to arbitrary locations on the affected sites server. • https://mukarramkhalid.com/wordpress-real-3d-flipbook-plugin-exploit https://wordpress.org/plugins/real3d-flipbook-lite/#developers • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2016-10967 – Real3D Flipbook <= 1.0 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-10967
The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter. El plugin real3d-flipbook-lite versión 1.0 para WordPress, presenta una vulnerabilidad de tipo XSS por medio del parámetro bookId del archivo wp-content/plugins/real3d-flipbook/includes/flipbooks.php. • https://mukarramkhalid.com/wordpress-real-3d-flipbook-plugin-exploit https://wordpress.org/plugins/real3d-flipbook-lite/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •