CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6526 – Meta Box – WordPress Custom Fields Framework <= 5.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6526
05 Feb 2024 — The Meta Box – WordPress Custom Fields Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom post meta values displayed through the plugin's shortcode in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Meta Box – Wor... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3030376%40meta-box&new=3030376%40meta-box&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41876 – WordPress WP Gallery Metabox Plugin <= 1.0.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-41876
05 Sep 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Hardik Kalathiya WP Gallery Metabox plugin <= 1.0.0 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Hardik Kalathiya WP Gallery Metabox en versiones <= 1.0.0. The WP Gallery Metabox plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the gallery_metabox() function. This makes it possible for unauthenticated attacke... • https://patchstack.com/database/vulnerability/wp-gallery-metabox/wordpress-wp-gallery-metabox-plugin-1-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2561 – Gallery Metabox <= 1.5 - Missing Authorization via gallery_remove
https://notcve.org/view.php?id=CVE-2023-2561
22 Jun 2023 — The Gallery Metabox for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gallery_remove function in versions up to, and including, 1.5. This makes it possible for subscriber-level attackers to modify galleries attached to posts and pages with this plugin. • https://plugins.trac.wordpress.org/browser/gallery-metabox/trunk/gallery-metabox.php?rev=611664#L233 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2562 – Gallery Metabox <= 1.5 - Missing Authorization via refresh_metabox
https://notcve.org/view.php?id=CVE-2023-2562
22 Jun 2023 — The Gallery Metabox for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the refresh_metabox function in versions up to, and including, 1.5. This makes it possible for subscriber-level attackers to obtain a list of images attached to a post. • https://plugins.trac.wordpress.org/browser/gallery-metabox/trunk/gallery-metabox.php?rev=611664#L203 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47134 – WordPress Gallery Metabox Plugin <= 1.5 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47134
19 Apr 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Bill Erickson Gallery Metabox plugin <= 1.5 versions. The Gallery Metabox plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the gallery_remove function. This makes it possible for unauthenticated attackers to remove a gallery via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Cross-... • https://patchstack.com/database/vulnerability/gallery-metabox/wordpress-gallery-metabox-plugin-1-5-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14793 – Meta Box - WordPress Custom Fields Framework <= 4.16.2 - File Deletion via attachment_id Parameter
https://notcve.org/view.php?id=CVE-2019-14793
02 Feb 2019 — The Meta Box plugin before 4.16.3 for WordPress allows file deletion via ajax, with the wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id parameter. El plugin Meta Box en versiones anteriores a 4.16.3 para WordPress, permite la eliminación de archivos por medio de ajax, con el parámetro wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id. • https://metabox.io/changelog • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14794 – Meta Box <= 4.16.1 - Mishandling of File Upload
https://notcve.org/view.php?id=CVE-2019-14794
01 Feb 2019 — The Meta Box plugin before 4.16.2 for WordPress mishandles the uploading of files to custom folders. El plugin Meta Box en versiones anteriores a 4.16.2 para WordPress, maneja inapropiadamente la carga de archivos hacia carpetas personalizadas. • https://metabox.io/changelog • CWE-19: Data Processing Errors CWE-73: External Control of File Name or Path •