CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29922 – WordPress Slider Hero plugin <= 8.6.1 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-29922
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Quantum Cloud Slider Hero allows Stored XSS.This issue affects Slider Hero: from n/a through 8.6.1. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Quantum Cloud Slider Hero permite XSS almacenado. Este problema afecta a Slider Hero: desde n/a hasta 8.6.1. The Slider Hero with Animation, Video Background plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/slider-hero/wordpress-slider-hero-plugin-8-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3074 – Slider Hero < 8.4.4 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-3074
The Slider Hero WordPress plugin before 8.4.4 does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks. El plugin Slider Hero de WordPress versiones anteriores a 8.4.4, no escapa del nombre del slider, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting. The Slider Hero plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider title parameter in versions up to, and including, 8.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/90ebaedc-89df-413f-b22e-753d4dd5e1c3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24506 – Slider Hero < 8.2.7 - Contributor+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24506
The Slider Hero with Animation, Video Background & Intro Maker WordPress plugin before 8.2.7 does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection. El plugin de WordPress Slider Hero with Animation, Video Background & Intro Maker versiones anteriores a 8.2.7, no sanea o escapa del atributo id de su shortcode hero-button antes de usarlo en una sentencia SQL, permitiendo a usuarios con un rol tan bajo como Contributor llevar a cabo una inyección SQL. • https://wpscan.com/vulnerability/52c8755c-46b9-4383-8c8d-8816f03456b0 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4424 – Slider Hero <= 8.2.0 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4424
The Slider Hero plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.2.0. This is due to missing or incorrect nonce validation on the qc_slider_hero_duplicate() function. This makes it possible for unauthenticated attackers to duplicate slides via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •