CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45816 – WordPress GD bbPress Attachments Plugin <= 4.3.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-45816
Auth. Stored Cross-Site Scripting (XSS) vulnerability in GD bbPress Attachments plugin <= 4.3.1 on WordPress. Vulnerabilidad de Cross-Site Scripting (XSS) Almacenado, autenticada en el complemento GD bbPress Attachments en versiones <= 4.3.1 en WordPress. The GD bbPress Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/gd-bbpress-attachments/wordpress-gd-bbpress-attachments-plugin-4-3-1-auth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2015-5482 – GD bbPress Attachments < 2.3 - Directory Traversal
https://notcve.org/view.php?id=CVE-2015-5482
Directory traversal vulnerability in the GD bbPress Attachments plugin before 2.3 for WordPress allows remote administrators to include and execute arbitrary local files via a .. (dot dot) in the tab parameter in the gdbbpress_attachments page to wp-admin/edit.php. Vulnerabilidad de salto de directorio en el plugin GD bbPress Attachments en versiones anteriores a 2.3 para WordPress, permite a administradores remotos incluir y ejecutar archivos locales arbitrarios a través de un .. (punto punto) en el parámetro tab en la página gdbbpress_attachments a wp-admin/edit.php. • https://packetstormsecurity.com/files/132656/wpgdbbpress-lfi.txt https://security.dxw.com/advisories/local-file-include-vulnerability-in-gd-bbpress-attachments-allows-attackers-to-include-arbitrary-php-files https://wordpress.org/plugins/gd-bbpress-attachments/changelog https://wpvulndb.com/vulnerabilities/8087 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 3CVE-2015-5481 – GD bbPress Attachments < 2.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-5481
Cross-site scripting (XSS) vulnerability in forms/panels.php in the GD bbPress Attachments plugin before 2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter in the gdbbpress_attachments page to wp-admin/edit.php. Vulnerabilidad de XSS en forms/panels.php en el plugin GD bbPress Attachments en versiones anteriores a 2.3 para WordPress, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro tab en la página gdbbpress_attachments a wp-admin/edit.php. • http://packetstormsecurity.com/files/132657/WordPress-GD-bbPress-Attachments-2.1-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Jul/53 https://security.dxw.com/advisories/reflected-xss-in-gd-bbpress-attachments-allows-an-attacker-to-do-almost-anything-an-admin-can https://wordpress.org/plugins/gd-bbpress-attachments/changelog https://wpvulndb.com/vulnerabilities/8088 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •