CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27889 – LIQUID SPEECH BALLOON <= 1.1.8 - Cross-Site Request Forgery to Settings Update
https://notcve.org/view.php?id=CVE-2023-27889
Cross-site request forgery (CSRF) vulnerability in LIQUID SPEECH BALLOON versions prior to 1.2 allows a remote unauthenticated attacker to hijack the authentication of a user and to perform unintended operations by having a user view a malicious page. The LIQUID SPEECH BALLOON plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.8 . This is due to missing nonce validation on the liquid_speech_balloon_admin_page() function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://jvn.jp/en/jp/JVN99657911 https://wordpress.org/plugins/liquid-speech-balloon/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2019-17070 – LIQUID SPEECH BALLOON < 1.0.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-17070
The liquid-speech-balloon (aka LIQUID SPEECH BALLOON) plugin before 1.0.7 for WordPress allows XSS with Internet Explorer. El plugin liquid-speech-balloon (también se conoce como LIQUID SPEECH BALLOON) en versiones anteriores a la.1.0.7 para WordPress permite un ataque de tipo XSS con Internet Explorer. • https://gist.github.com/rezaduty/18afedba24bb1e5835010bd2de67cece https://wordpress.org/plugins/liquid-speech-balloon/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •