4 results (0.004 seconds)

CVSS: 4.3EPSS: %CPEs: 1EXPL: 0

The Professional Social Sharing Buttons, Icons & Related Posts – Shareaholic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'accept_terms_of_service' function in all versions up to, and including, 9.7.11. This makes it possible for authenticated attackers, with subscriber access and above, to accept the plugin's terms of service. • CWE-862: Missing Authorization •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shareaholic' shortcode in versions up to, and including, 9.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Shareaholic para WordPress es vulnerable a Cross-Site Scripting Almacenado en el shortcode 'shareaholic' en versiones hasta la 9.7.8 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset/2995413/shareaholic#file51 https://www.wordfence.com/threat-intel/vulnerabilities/id/ff6932c6-f3ec-46a8-a03b-95512eee5bf1?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin before 9.7.6 does not have proper authorisation check in one of the AJAX action, available to unauthenticated (in v < 9.7.5) and author+ (in v9.7.5) users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc. El plugin Professional Social Sharing Buttons, Icons &amp; Related Posts de WordPress versiones anteriores a 9.7.6, no presenta una comprobación de autorización apropiada en una de las acciones AJAX, disponible para usuarios no autenticados (en versiones anteriores a 9.7.5) y author+ (en versión v9.7.5), permitiéndoles llamarlo y recuperar diversa información como la lista de plugins activos, varias versiones como PHP, cURL, WP etc • https://wpscan.com/vulnerability/4de9451e-2c8d-4d99-a255-b027466d29b1 • CWE-863: Incorrect Authorization •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 3

Cross-site scripting (XSS) vulnerability in admin.php in the Shareaholic plugin before 7.6.1.0 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the location[id] parameter in a shareaholic_add_location action to wp-admin/admin-ajax.php. Vulnerabilidad de XSS en admin.php en el plugin Shareaholic anterior a 7.6.1.0 para WordPress permite a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro location[id] en una acción shareaholic_add_location en wp-admin/admin-ajax.php. WordPress Shareaholic plugin version 7.6.0.3 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/36674 http://packetstormsecurity.com/files/131321/WordPress-Shareaholic-7.6.0.3-Cross-Site-Scripting.html http://security.szurek.pl/shareaholic-7603-xss.html https://wordpress.org/plugins/shareaholic/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •