CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23979 – WordPress Ultimate Reviews plugin <= 3.0.15 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-23979
06 Jan 2022 — Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability discovered in Ultimate Reviews WordPress plugin (versions <= 3.0.15). Se ha detectado una vulnerabilidad de tipo Cross-Site Scripting (XSS) autenticado (admin+) en el plugin Ultimate Reviews de WordPress (versiones anteriores a 3.0.15 incluyéndola) • https://patchstack.com/database/vulnerability/ultimate-reviews/wordpress-ultimate-reviews-plugin-3-0-15-authenticated-stored-cross-site-scripting-xss-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36726 – Ultimate Reviews < 2.1.33 - PHP Object Injection
https://notcve.org/view.php?id=CVE-2020-36726
10 Nov 2020 — The Ultimate Reviews plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.1.32 via deserialization of untrusted input in several vulnerable functions. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. • https://blog.nintechnet.com/wordpress-ultimate-reviews-plugin-fixed-insecure-deserialization-vulnerability • CWE-502: Deserialization of Untrusted Data •