CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1219 – Easy Social Feed < 6.5.6 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-1219
The Easy Social Feed WordPress plugin before 6.5.6 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin El complemento Easy Social Feed de WordPress anterior a 6.5.6 no valida ni escapa algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría permitir a los usuarios con un rol tan bajo como colaborador realizar ataques de Cross-Site Scripting Almacenado que podrían ser utilizado contra usuarios con privilegios elevados, como el administrador The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 6.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/ce4ac9c4-d293-4464-b6a0-82ddf8d4860b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6883 – Easy Social Feed <= 6.5.2 - Missing Authorization to Settings Modification
https://notcve.org/view.php?id=CVE-2023-6883
The Easy Social Feed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in all versions up to, and including, 6.5.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions, such as modifying the plugin's Facebook and Instagram access tokens and updating group IDs. El complemento Easy Social Feed para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en múltiples funciones AJAX en todas las versiones hasta la 6.5.2 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, realicen acciones no autorizadas, como modificar los tokens de acceso de Facebook e Instagram del complemento y actualizar las ID de grupo. • https://plugins.trac.wordpress.org/changeset/3012165/easy-facebook-likebox https://www.wordfence.com/threat-intel/vulnerabilities/id/3deee9b5-2e36-447d-a492-e22e3dc6a5ab?source=cve • CWE-732: Incorrect Permission Assignment for Critical Resource CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4474 – Easy Social Feed – Social Photos Gallery – Post Feed – Like Box < 6.4.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-4474
The Easy Social Feed WordPress plugin before 6.4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. El complemento Easy Social Feed de WordPress anterior a 6.4.0 no valida ni escapa algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría permitir a los usuarios con un rol tan bajo como colaborador realizar ataques de cross-site scripting almacenado que podrían ser utilizado contra usuarios con privilegios elevados, como el administrador. The Easy Social Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page • https://wpscan.com/vulnerability/3acc6940-13ec-40fb-8471-6b2f0445c543 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2021-25120 – Easy Social Feed < 6.2.7 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25120
The Easy Social Feed Free and Pro WordPress plugins before 6.2.7 do not sanitise some of their parameters used via AJAX actions before outputting them back in the response, leading to Reflected Cross-Site Scripting issues Los plugins Easy Social Feed Free y Pro de WordPress versiones anteriores a 6.2.7, no sanean algunos de los parámetros usados por medio de acciones AJAX antes de devolverlos a la respuesta, conllevando a problemas de tipo Cross-Site Scripting reflejado • https://wpscan.com/vulnerability/0ad020b5-0d16-4521-8ea7-39cd206ab9f6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •