2 results (0.003 seconds)

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MyThemeShop Launcher: Coming Soon & Maintenance Mode plugin <= 1.0.11 at WordPress. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Autenticado (admin+) Almacenado en MyThemeShop Launcher: Coming Soon &amp; Maintenance Mode plugin versiones anteriores a 1.0.11 incluyéndola, en WordPress. The Launcher plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/launcher/wordpress-launcher-coming-soon-maintenance-mode-plugin-1-0-11-authenticated-stored-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/launcher • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1

Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin 1.0.8 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL). Múltiples ataques de XSS almacenados en el plugin MyThemeShop Launcher, versión 1.0.8, para WordPress permiten a los usuarios remotos autenticados inyectar secuencias de comandos web arbitrarias o HTML a través de los siguientes campos: (1) Título, (2) Favicon, (3) Meta Descripción, (4) Formulario de suscripción (etiqueta de campo de nombre, etiqueta de campo de apellido, etiqueta de campo de correo electrónico), (5) Formulario de contacto (etiqueta de campo de nombre y etiqueta de campo de correo electrónico) y (6) Enlaces sociales (URL de la página de Facebook, URL de la página de Twitter, URL de la página de Instagram, URL de la página de YouTube, URL de la página de Linkedin, URL de la página de Google+, URL de la página de RSS). Multiple stored cross-site scripting (XSS) in the MyThemeShop Launcher plugin before 1.0.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via fields as follows: (1) Title, (2) Favicon, (3) Meta Description, (4) Subscribe Form (Name field label, Last name field label, Email field label), (5) Contact Form (Name field label and Email field label), and (6) Social Links (Facebook Page URL, Twitter Page URL, Instagram Page URL, YouTube Page URL, Linkedin Page URL, Google+ Page URL, RSS URL). • https://metamorfosec.com/Files/Advisories/METS-2019-002-Multiple_Stored_XSS_Vulnerabilities_in_the_MyThemeShop_Launcher_plugin_v1.0.8_for_WordPress.txt https://wpvulndb.com/vulnerabilities/9275 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •