NotCVE - vendor:"Devnath Verma" product:"Widget Bundle" version:" <= 2.0.0"

3 results (0.006 seconds)

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

CVE-2024-4970 – Widget Bundle <= 2.0.0 - Admin+ Stored XSS

https://notcve.org/view.php?id=CVE-2024-4970

31 May 2024 — The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El complemento Widget Bundle de WordPress hasta la versión 2.0.0 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de ... • https://wpscan.com/vulnerability/4a9fc352-7ec2-4992-9cda-7bdca4f42788 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1

CVE-2024-4616 – Widget Bundle <= 2.0.0 - Unauthencated Reflected XSS

https://notcve.org/view.php?id=CVE-2024-4616

31 May 2024 — The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users El complemento Widget Bundle de WordPress hasta la versión 2.0.0 no sanitiza ni escapa un parámetro antes de devolverlo a la página, lo que genera un Cross-Site Scripting Reflejado que podría usarse solo contra usuarios no autenticados. The Widget Bundle plugin for WordPress is vulne... • https://wpscan.com/vulnerability/d203bf3b-aee9-4755-b429-d6bbdd940890 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1

CVE-2024-4969 – Widget Bundle <= 2.0.0 - Widget Disable/Enable via CSRF

https://notcve.org/view.php?id=CVE-2024-4969

31 May 2024 — The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack El complemento Widget Bundle de WordPress hasta la versión 2.0.0 no tiene comprobaciones CSRF al registrar widgets, lo que podría permitir a los atacantes habilitar/deshabilitar los widgets del administrador registrado a través de un ataque CSRF. The Widget Bundle plugin for WordPress is vulnerable to Cross-Site Request ... • https://wpscan.com/vulnerability/1a7ec5dc-eda4-4fed-9df9-f41d2b937fed • CWE-352: Cross-Site Request Forgery (CSRF) •