CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7485 – Traffic Manager <= 1.4.5 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-7485
The Traffic Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page' parameter in the 'UserWebStat' AJAX function in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Traffic Manager para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro 'página' en la función AJAX 'UserWebStat' en todas las versiones hasta la 1.4.5 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/traffic-manager/trunk/traffic-manager.php?rev=1709967#L2375 https://plugins.trac.wordpress.org/browser/traffic-manager/trunk/traffic-manager.php?rev=1709967#L2745 https://www.wordfence.com/threat-intel/vulnerabilities/id/a2f508f1-45a0-4cb4-9d67-51edd3d74abe?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-42460 – WordPress Traffic Manager plugin <= 1.4.5 - Broken Access Control vulnerability leading to Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-42460
Broken Access Control vulnerability leading to Stored Cross-Site Scripting (XSS) in Traffic Manager plugin <= 1.4.5 on WordPress. Vulnerabilidad de Control de Acceso Roto que conduce a Cross-Site Scripting (XSS) Almacenado en el complemento Traffic Manager en WordPress en versiones <= 1.4.5. The Traffic Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/traffic-manager/wordpress-traffic-manager-plugin-1-4-5-broken-access-control-vulnerability-leading-to-stored-cross-site-scripting-xss?_s_id=cve https://wordpress.org/plugins/traffic-manager • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41695 – WordPress Traffic Manager Plugin <= 1.4.5 is vulnerable to Broken Access Control
https://notcve.org/view.php?id=CVE-2022-41695
Missing Authorization vulnerability in SedLex Traffic Manager.This issue affects Traffic Manager: from n/a through 1.4.5. Vulnerabilidad de autorización faltante en SedLex Traffic Manager. Este problema afecta a Traffic Manager: desde n/a hasta 1.4.5. The Traffic Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on an unknown function in versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to access functionality or information not intended for them. • https://patchstack.com/database/vulnerability/traffic-manager/wordpress-traffic-manager-plugin-1-4-5-multiple-vulnerabilities?_s_id=cve • CWE-862: Missing Authorization •