5 results (0.006 seconds)

CVSS: 4.3EPSS: %CPEs: 1EXPL: 0

The Dynamic Widgets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

The Dynamic Widgets WordPress plugin through 1.5.16 does not escape the prefix parameter before outputting it back in an attribute when using the term_tree AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting issue El plugin Dynamic Widgets de WordPress versiones hasta 1.5.16, no escapa el parámetro prefix antes de devolverlo en un atributo cuando es usada la acción AJAX term_tree (disponible para cualquier usuario autenticado), conllevando a un problema de tipo Cross-Site Scripting Reflejado. • https://wpscan.com/vulnerability/b8e6f0d3-a7d1-4ca8-aba8-0d5075167d55 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

A vulnerability, which was classified as critical, has been found in Dynamic Widgets Plugin up to 1.5.10 on WordPress. This issue affects some unknown processing of the file classes/dynwid_class.php. The manipulation leads to sql injection. The attack may be initiated remotely. Upgrading to version 1.5.11 is able to address this issue. • https://github.com/wp-plugins/dynamic-widgets/commit/d0a19c6efcdc86d7093b369bc9e29a0629e57795 https://github.com/wp-plugins/dynamic-widgets/releases/tag/1.5.11 https://vuldb.com/?ctiid.225353 https://vuldb.com/?id.225353 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2

The dynamic-widgets plugin before 1.5.11 for WordPress has XSS via the wp-admin/admin-ajax.php?action=term_tree prefix or widget_id parameter. El plugin dynamic-widgets versiones anteriores a 1.5.11 para WordPress, presenta una vulnerabilidad de tipo XSS por medio del parámetro prefix o widget_id de wp-admin/admin-ajax.php?action=term_tree . • http://cinu.pl/research/wp-plugins/mail_489304900a50751da1495e2ea660bc51.html https://wordpress.org/plugins/dynamic-widgets/#developers https://wpvulndb.com/vulnerabilities/8258 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2

The dynamic-widgets plugin before 1.5.11 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=dynwid-config page_limit parameter. El plugin dynamic-widgets versiones anteriores a 1.5.11 para WordPress, presenta una vulnerabilidad de tipo CSRF con un XSS resultante por medio del parámetro page_limit de wp-admin/themes.php?page=dynwid-config. • http://cinu.pl/research/wp-plugins/mail_489304900a50751da1495e2ea660bc51.html https://wordpress.org/plugins/dynamic-widgets/#developers https://wpvulndb.com/vulnerabilities/8258 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •