CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2033 – Video Conferencing with Zoom <= 4.4.5 - Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2024-2033
The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.5 via the get_assign_host_id AJAX action. This makes it possible for authenticated attackers, with subscriber access or higher, to enumerate usernames, emails and IDs of all users on a site. El complemento Video Conferencing with Zoom para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 4.4.5 incluida a través de la acción AJAX get_assign_host_id. Esto hace posible que atacantes autenticados, con acceso de suscriptor o superior, enumeren nombres de usuario, correos electrónicos e identificaciones de todos los usuarios de un sitio. • https://github.com/annmuor/CVE-2024-20338 https://plugins.trac.wordpress.org/changeset/3054964/video-conferencing-with-zoom-api/trunk?contextall=1&old=3048839&old_path=%2Fvideo-conferencing-with-zoom-api%2Ftrunk https://www.wordfence.com/threat-intel/vulnerabilities/id/0966057b-8a3c-4d3c-84cb-cf36f1d97922?source=cve • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2031 – Video Conferencing with Zoom <= 4.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2024-2031
The Video Conferencing with Zoom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zoom_recordings_by_meeting' shortcode in all versions up to, and including, 4.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Video Conferencing with Zoom para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del código corto 'zoom_recordings_by_meeting' del complemento en todas las versiones hasta la 4.4.4 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset/3048838/video-conferencing-with-zoom-api/trunk/includes/Shortcodes/Recordings.php https://www.wordfence.com/threat-intel/vulnerabilities/id/06e48355-6932-4401-8787-e6432444930f?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •