CVE-2022-1322 – Coming Soon - Under Construction <= 1.1.9 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1322
The Coming Soon - Under Construction WordPress plugin through 1.1.9 does not sanitize and escape some of its settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El plugin Coming Soon - Under Construction de WordPress versiones hasta 1.1.9 no sanea ni escapa de algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando unfiltered_html está deshabilitado The Coming Soon – Under Construction plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/e1724471-26bd-4cb3-a279-51783102ed0c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-1324 – Event Timeline <= 1.1.5 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1324
The Event Timeline WordPress plugin through 1.1.5 does not sanitize and escape Timeline Text, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El plugin Event Timeline de WordPress versiones hasta 1.1.5, no sanea ni escapa del texto de la línea de tiempo, lo que podría permitir a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando unfiltered_html está deshabilitado The Event Timeline WordPress plugin through 1.1.6 does not sanitize and escape Timeline Text, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed • https://wpscan.com/vulnerability/2ce2a387-acc8-482a-9452-a4d9acb187fd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-1327 – Image Gallery - Grid Gallery < 1.1.6 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1327
The Image Gallery WordPress plugin before 1.1.6 does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El plugin Image Gallery - Grid Gallery de WordPress en versiones anteriores a la 1.1.6 no sanea y escapa de algunos de sus campos de imagen, lo que podría permitir a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando unfiltered_html está deshabilitado The Image Gallery - Grid Gallery WordPress plugin through 1.1.1 does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed • https://wpscan.com/vulnerability/6b71eb38-0a4a-49d1-96bc-84bbe675be1e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-24831 – Tab - Accordion, FAQ < 1.3.2 - Unauthenticated AJAX Calls
https://notcve.org/view.php?id=CVE-2021-24831
All AJAX actions of the Tab WordPress plugin before 1.3.2 are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs. Todas las acciones AJAX del plugin Tab de WordPress versiones anteriores a 1.3.2, están disponibles tanto para usuarios no autenticados como para los autenticados, permitiendo a atacantes no autenticados modificar varios datos en el plugin, como añadir/editar/borrar pestañas arbitrarias • https://wpscan.com/vulnerability/75ed9f5f-e091-4372-a6cb-57958ad5f900 • CWE-425: Direct Request ('Forced Browsing') CWE-862: Missing Authorization •