CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33695 – WordPress Fan Page Widget by ThemeNcode plugin <= 2.0 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-33695
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNcode Fan Page Widget by ThemeNcode allows Stored XSS.This issue affects Fan Page Widget by ThemeNcode: from n/a through 2.0. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Cross-site Scripting') en ThemeNcode Fan Page Widget by ThemeNcode permite almacenar XSS. Este problema afecta el widget de página de fans de ThemeNcode: desde n/a hasta 2.0. The Fan Page Widget by ThemeNcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/facebook-fan-page-widget/wordpress-fan-page-widget-by-themencode-plugin-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32815 – WordPress All-in-one Like Widget plugin <= 2.2.7 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-32815
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Peters All-in-one Like Widget allows Stored XSS.This issue affects All-in-one Like Widget: from n/a through 2.2.7. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Jeroen Peters All-in-one Like Widget permite almacenar XSS. Este problema afecta el widget Me gusta todo en uno: desde n/a hasta 2.2.7 . The All-in-one Like Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/all-in-one-facebook-like-widget/wordpress-all-in-one-like-widget-plugin-2-2-7-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32689 – WordPress WP Social Comments plugin <= 1.7.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-32689
Missing Authorization vulnerability in GenialSouls WP Social Comments.This issue affects WP Social Comments: from n/a through 1.7.3. Vulnerabilidad de autorización faltante en GenialSouls WP Social Comments. Este problema afecta a WP Social Comments: desde n/a hasta 1.7.3. The WP Social Comments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpfc_allow_comments() function in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to turn on comments for posts. • https://patchstack.com/database/vulnerability/gs-facebook-comments/wordpress-wp-social-comments-plugin-1-7-3-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31379 – WordPress Smash Balloon Social Post Feed plugin <= 4.2.1 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-31379
Cross-Site Request Forgery (CSRF) vulnerability in Smash Balloon Smash Balloon Social Post Feed.This issue affects Smash Balloon Social Post Feed: from n/a through 4.2.1. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Smash Balloon Smash Balloon Social Post Feed. Este problema afecta al feed de publicaciones sociales de Smash Balloon: desde n/a hasta 4.2.1. The Smash Balloon Social Post Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.2.1. This is due to missing or incorrect nonce validation on the maybe_source_connection_data() function. • https://patchstack.com/database/vulnerability/custom-facebook-feed/wordpress-smash-balloon-social-post-feed-plugin-4-2-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31387 – WordPress Popup Likebox plugin <= 3.7.2 - Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-31387
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Popup LikeBox Team Popup Like box allows Stored XSS.This issue affects Popup Like box: from n/a through 3.7.2. Vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Cross-site Scripting') en Popup LikeBox Team Popup Like box permite almacenar XSS. Este problema afecta el cuadro Popup Like: desde n/a hasta 3.7.2. The Popup Like box – Page Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/ays-facebook-popup-likebox/wordpress-popup-likebox-plugin-3-7-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •