3 results (0.001 seconds)

CVSS: 6.1EPSS: %CPEs: 7EXPL: 0

Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Los complementos Multiple para WordPress son vulnerables a Cross-Site Scripting reflejado a través del código corto cminds_free_guide en varias versiones debido a una desinfección de entrada y un escape de salida insuficientes. Esto permite que atacantes no autenticados inyecten secuencias de comandos web arbitrarias en páginas que se ejecutan si logran engañar a un usuario para que realice una acción, como hacer clic en un enlace. • https://plugins.trac.wordpress.org/browser/cm-business-directory/trunk/package/cminds-free.php#L1465 https://plugins.trac.wordpress.org/browser/cm-email-blacklist/trunk/package/cminds-free.php#L1465 https://plugins.trac.wordpress.org/browser/cm-header-footer-script-loader/trunk/package/cminds-free.php#L1465 https://plugins.trac.wordpress.org/browser/cm-on-demand-search-and-replace/trunk/package/cminds-free.php#L1469 https://plugins.trac.wordpress.org/browser/cm-pop-up-banners/trunk/package/cminds-free.ph • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

The CM Tooltip Glossary – Powerful Glossary Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.11. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to change the plugin's settings or reset them via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento CM Tooltip Glossary – Powerful Glossary Plugin para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 4.2.11 incluida. Esto se debe a que falta una validación nonce o es incorrecta al guardar la configuración. • https://plugins.trac.wordpress.org/changeset/3076616/enhanced-tooltipglossary/trunk/settings/CMTT_Settings.php?contextall=1&old=3029791&old_path=%2Fenhanced-tooltipglossary%2Ftrunk%2Fsettings%2FCMTT_Settings.php https://www.wordfence.com/threat-intel/vulnerabilities/id/f3e2ddde-1421-4352-b93a-1492574f624e?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1

The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks El plugin Video Lessons Manager de WordPress versiones anteriores a 1.7.2 y el plugin Video Lessons Manager Pro de WordPress versiones anteriores a 3.5.9, no sanean correctamente y escapan de los valores cuando actualizan sus ajustes, que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting • https://wpscan.com/vulnerability/4a90be69-41eb-43e9-962d-34316497b4df • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •