CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41797 – WordPress Locations Plugin <= 4.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-41797
05 Sep 2023 — Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Gold Plugins Locations plugin <= 4.0 versions. Vulnerabilidad de Coss-Site Scripting (XSS) autenticada (con permisos de colaboradores o superiores) almacenada en el complemento Gold Plugins Locations en versiones <= 4.0. The Locations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in versions up to, and including, 4.0 due to insufficient input sanitization and output escaping on user supp... • https://patchstack.com/database/vulnerability/locations/wordpress-locations-plugin-4-0-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4394 – Locations <= 3.2.1 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4394
05 Jul 2021 — The Locations plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.1. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to update custom field meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •