CVE-2021-24675 – One User Avatar < 2.3.7 - Avatar Update via CSRF
https://notcve.org/view.php?id=CVE-2021-24675
The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack El plugin One User Avatar de WordPress versiones anteriores a 2.3.7, no comprueba CSRF cuando es actualizado el avatar en la página donde se inserta el shortcode [avatar_upload]. Como resultado, los atacantes podrían hacer que el usuario conectado cambie su avatar por medio de un ataque de tipo CSRF • https://wpscan.com/vulnerability/9b9a55d5-c121-4b5b-80df-f9f419c0dc55 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-24672 – One User Avatar < 2.3.7 - Contributor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24672
The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks El plugin One User Avatar de WordPress versiones anteriores a 2.3.7, no escapa de los atributos link y target de su shortcode, permitiendo a usuarios con un rol tan bajo como el de Contribuyente llevar a cabo ataques de tipo Cross-Site Scripting Almacenado • https://wpscan.com/vulnerability/762c506a-f57d-450f-99c0-32d750306ddc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-3860 – Cover WP <= 1.6.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-3860
Cross-site scripting (XSS) vulnerability in the Cover WP theme before 1.6.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el tema Cover WP anteriores a v1.6.6 para WordPress, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro s. • https://www.exploit-db.com/exploits/36183 http://www.securityfocus.com/bid/50334 https://sitewat.ch/en/Advisories/18 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •