CVE-2024-43344 – WordPress Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA plugin <= 3.1.25 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-43344
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Icegram allows Stored XSS.This issue affects Icegram: from n/a through 3.1.25. The Icegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.1.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-ultimate-wp-popup-builder-lead-generation-optins-and-cta-plugin-3-1-25-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-43272 – WordPress Icegram Engage plugin <= 3.1.24 - Unauthenticated Unpublished Campaign Viewer vulnerability
https://notcve.org/view.php?id=CVE-2024-43272
Missing Authentication for Critical Function vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24. The Icegram plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the display_messages() function in versions up to, and including, 3.1.24. This makes it possible for unauthenticated attackers to preview campaigns • https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-plugin-3-1-24-unauthenticated-unpublished-campaign-viewer-vulnerability?_s_id=cve • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVE-2024-39625 – WordPress Icegram Engage plugin <= 3.1.24 - Unauthenticated Message Duplication Vulnerability
https://notcve.org/view.php?id=CVE-2024-39625
Missing Authorization vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24. The Icegram plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the duplicate_message() function in versions up to, and including, 3.1.24. This makes it possible for unauthenticated attackers to duplicate messages. • https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-plugin-3-1-24-unauthenticated-message-duplication-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2021-24941 – Icegram < 2.0.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24941
The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue El plugin Popups, Welcome Bar, Optins and Lead Generation de WordPress versiones anteriores a 2.0.5, no sanea ni escapa del parámetro message_id de la acción AJAX get_message_action_row antes de devolverlo a un atributo, conllevando a un problema de tipo Cross-Site Scripting reflejado The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitize and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue • https://wpscan.com/vulnerability/beca7afd-8f03-4909-bea0-77b63513564b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •