CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12299 – System Dashboard <= 2.8.15 - Reflected Cross-Site Scripting via Filename Parameter
https://notcve.org/view.php?id=CVE-2024-12299
30 Jan 2025 — The System Dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the Filename parameter in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link. The System Dashboard plugin for WordPress is vulnerable to Reflected Cross-... • https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.15/admin/class-system-dashboard-admin.php#L2323 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10790 – Admin and Site Enhancements (ASE) <= 7.5.1 - Authenticated Stored Cross-Site Scripting via SVG
https://notcve.org/view.php?id=CVE-2024-10790
11 Nov 2024 — The Admin and Site Enhancements (ASE) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 7.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. This feature must be enabled, and for specific roles in order to be exploitable. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3180884%40admin-site-enhancements%2Ftags%2F7.5.1&new=3185287%40admin-site-enhancements%2Ftags%2F7.5.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5816 – Code Explorer <= 1.4.5 - Authenticated (Admin+) External File Reading
https://notcve.org/view.php?id=CVE-2023-5816
29 Oct 2024 — The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing files to those outside of the WordPress instance, though the intention of the plugin is to only access WordPress related files. This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance. El complemento Code Explorer para WordPress es vu... • https://wordpress.org/plugins/code-explorer/#developers • CWE-73: External Control of File Name or Path •