CVE-2024-8959 – WP Adminify – Best WordPress Custom Dashboard Plugin <= 4.0.1.6 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
https://notcve.org/view.php?id=CVE-2024-8959
The WP Adminify – Custom WordPress Dashboard, Login and Admin Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.0.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. • https://plugins.trac.wordpress.org/changeset/3165558 https://wordpress.org/plugins/adminify/#developers https://wpadminify.com/changelogs https://www.wordfence.com/threat-intel/vulnerabilities/id/68094545-0e2a-429d-95b7-bfa86eca1caa?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-6282 – Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via data-jltma-wrapper-link Element
https://notcve.org/view.php?id=CVE-2024-6282
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-jltma-wrapper-link element in all versions up to, and including 2.0.6.4 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected link. El complemento Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor para WordPress es vulnerable a Cross-Site Scripting almacenado a través del elemento data-jltma-wrapper-link en todas las versiones hasta la 2.0.6.4 incluida, debido a una desinfección de entrada insuficiente y al escape de salida en atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten secuencias de comandos web arbitrarias en páginas que se ejecutarán cada vez que un usuario haga clic en el enlace inyectado. • https://plugins.trac.wordpress.org/browser/master-addons/tags/2.0.6.2/assets/js/master-addons-scripts.js#L3398 https://plugins.trac.wordpress.org/changeset/3146230 https://www.wordfence.com/threat-intel/vulnerabilities/id/8bab0acc-5a5d-4dd4-9201-199b7f5aaa69?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-3134 – Master Addons for Elementor <= 2.0.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-3134
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the title_html_tag attribute in all versions up to, and including, 2.0.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations para Elementor complemento para WordPress son vulnerables a Cross-Site Scripting almacenado a través del atributo title_html_tag en todas las versiones hasta la 2.0.6.0 incluida debido a una sanitización de entrada y escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de colaborador o superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the title_html_tag attribute in all versions up to, and including, 2.0.6.0 due to insufficient input sanitization and output escaping. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3087193%40master-addons%2Ftrunk&old=3078134%40master-addons%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/6106c972-5475-4c19-8630-3a01edc616ad?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-4580 – Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-4580
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 2.0.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 2.0.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-35702 is likely a duplicate of this issue. • https://plugins.trac.wordpress.org/browser/master-addons/trunk/addons/ma-image-hover-effects/ma-image-hover-effects.php#L1546 https://plugins.trac.wordpress.org/browser/master-addons/trunk/addons/ma-tabs/ma-tabs.php#L1068 https://plugins.trac.wordpress.org/changeset/3087193 https://www.wordfence.com/threat-intel/vulnerabilities/id/e3e3ac84-dd82-42b0-80b9-c876731170d5?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-4265 – Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.5.9 - Contributor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-4265
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 2.0.5.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Los complementos Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor para WordPress son vulnerables a Cross-Site Scripting Almacenado a través del parámetro 'url' en versiones hasta la 2.0.5.9 incluida debido a una sanitización de entrada insuficiente y la salida se escapa. Esto hace posible que atacantes autenticados, con permisos de nivel de colaborador y superiores, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 2.0.5.9 due to insufficient input sanitization and output escaping. • https://plugins.trac.wordpress.org/browser/master-addons/trunk/addons/ma-image-carousel/ma-image-carousel.php#L915 https://plugins.trac.wordpress.org/browser/master-addons/trunk/addons/ma-logo-slider/ma-logo-slider.php#L825 https://plugins.trac.wordpress.org/changeset/3078134 https://www.wordfence.com/threat-intel/vulnerabilities/id/a9a48769-94d9-459f-b34b-fdfe4c10b36c?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •