5 results (0.028 seconds)

CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Richteam Share Buttons – Social Media allows Blind SQL Injection.This issue affects Share Buttons – Social Media: from n/a through 1.0.2. The Share Buttons – Social Media plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/rich-web-share-button/wordpress-share-buttons-social-media-plugin-1-0-2-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1

The Coming Soon - Under Construction WordPress plugin through 1.1.9 does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El plugin Coming Soon - Under Construction de WordPress versiones hasta 1.1.9 no sanea ni escapa de algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando unfiltered_html está deshabilitado The Coming Soon – Under Construction plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/e1724471-26bd-4cb3-a279-51783102ed0c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1

The Event Timeline WordPress plugin through 1.1.5 does not sanitize and escape Timeline Text, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El plugin Event Timeline de WordPress versiones hasta 1.1.5, no sanea ni escapa del texto de la línea de tiempo, lo que podría permitir a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando unfiltered_html está deshabilitado The Event Timeline WordPress plugin through 1.1.6 does not sanitize and escape Timeline Text, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed • https://wpscan.com/vulnerability/2ce2a387-acc8-482a-9452-a4d9acb187fd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

The Image Gallery WordPress plugin before 1.1.6 does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El plugin Image Gallery - Grid Gallery de WordPress en versiones anteriores a la 1.1.6 no sanea y escapa de algunos de sus campos de imagen, lo que podría permitir a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando unfiltered_html está deshabilitado The Image Gallery - Grid Gallery WordPress plugin through 1.1.1 does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed • https://wpscan.com/vulnerability/6b71eb38-0a4a-49d1-96bc-84bbe675be1e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

All AJAX actions of the Tab WordPress plugin before 1.3.2 are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs. Todas las acciones AJAX del plugin Tab de WordPress versiones anteriores a 1.3.2, están disponibles tanto para usuarios no autenticados como para los autenticados, permitiendo a atacantes no autenticados modificar varios datos en el plugin, como añadir/editar/borrar pestañas arbitrarias • https://wpscan.com/vulnerability/75ed9f5f-e091-4372-a6cb-57958ad5f900 • CWE-425: Direct Request ('Forced Browsing') CWE-862: Missing Authorization •