CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12249 – GS Insever Portfolio <= 1.4.5 - Missing Authorization to Authenticated (Subscriber+) CSS Injection
https://notcve.org/view.php?id=CVE-2024-12249
08 Jan 2025 — The GS Insever Portfolio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings() function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's CSS settings. • https://plugins.trac.wordpress.org/browser/gs-instagram-portfolio/tags/1.4.5/admin/Backend_Builder.php • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0539 – GS Insever Portfolio < 1.4.5 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0539
03 Feb 2023 — The GS Insever Portfolio WordPress plugin before 1.4.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The GS Insever Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 1.4.4 due to insufficient input sanitization and output esc... • https://wpscan.com/vulnerability/a4b6a83a-6394-4dfc-8bb3-4982867dab7d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •