CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40213 – WordPress Justified Gallery plugin <= 1.7.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-40213
10 Aug 2023 — Missing Authorization vulnerability in Mateusz Czardybon Justified Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justified Gallery: from n/a through 1.7.3. The Justified Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dismiss_how_to_use_notice' and 'dismiss_notice' functions in versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with subscriber-... • https://patchstack.com/database/wordpress/plugin/justified-gallery/vulnerability/wordpress-justified-gallery-plugin-1-7-3-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4651 – Justified Gallery < 1.7.1 - Contributor+ Stored XSS via Shortcode
https://notcve.org/view.php?id=CVE-2022-4651
23 Dec 2022 — The Justified Gallery WordPress plugin before 1.7.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. The Justified Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including 1.7.0 due to insufficient sanitization and escaping on the attribute values passed through the plugins shortcode. This makes it possible for authenticated attackers with co... • https://wpscan.com/vulnerability/d8182075-7472-48c8-8e9d-94b12ab6fcf6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 425EXPL: 0CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
04 Mar 2022 — The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve • CWE-862: Missing Authorization •