CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43235 – WordPress Meta Box plugin <= 5.9.10 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-43235
09 Aug 2024 — Missing Authorization vulnerability in MetaBox.Io Meta Box – WordPress Custom Fields Framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Meta Box – WordPress Custom Fields Framework: from n/a through 5.9.10. The Meta Box – WordPress Custom Fields Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the query function called via 'ajax_get_posts' in versions up to, and including, 5.9.10. This makes it ... • https://patchstack.com/database/vulnerability/meta-box/wordpress-meta-box-plugin-5-9-10-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1204 – Meta Box < 5.9.4 - Contributor+ Arbitrary Posts' Custom Field Disclosure
https://notcve.org/view.php?id=CVE-2024-1204
25 Mar 2024 — The Meta Box WordPress plugin before 5.9.4 does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts. El complemento Meta Box de WordPress anterior a 5.9.4 no impide que los usuarios con al menos el rol de colaborador accedan a campos personalizados arbitrarios asignados a las publicaciones de otros usuarios. The Meta Box – WordPress Custom Fields Framework plugin for WordPress is vulnerable to information exposure in all versions up to, and... • https://wpscan.com/vulnerability/03191b00-0b05-42db-9ce2-fc525981b6c9 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6526 – Meta Box – WordPress Custom Fields Framework <= 5.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6526
05 Feb 2024 — The Meta Box – WordPress Custom Fields Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom post meta values displayed through the plugin's shortcode in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Meta Box – Wor... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3030376%40meta-box&new=3030376%40meta-box&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14793 – Meta Box - WordPress Custom Fields Framework <= 4.16.2 - File Deletion via attachment_id Parameter
https://notcve.org/view.php?id=CVE-2019-14793
02 Feb 2019 — The Meta Box plugin before 4.16.3 for WordPress allows file deletion via ajax, with the wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id parameter. El plugin Meta Box en versiones anteriores a 4.16.3 para WordPress, permite la eliminación de archivos por medio de ajax, con el parámetro wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id. • https://metabox.io/changelog • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14794 – Meta Box <= 4.16.1 - Mishandling of File Upload
https://notcve.org/view.php?id=CVE-2019-14794
01 Feb 2019 — The Meta Box plugin before 4.16.2 for WordPress mishandles the uploading of files to custom folders. El plugin Meta Box en versiones anteriores a 4.16.2 para WordPress, maneja inapropiadamente la carga de archivos hacia carpetas personalizadas. • https://metabox.io/changelog • CWE-19: Data Processing Errors CWE-73: External Control of File Name or Path •