5 results (0.004 seconds)

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

The Easy Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 1.11.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Easy Google Maps para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de la función de carga de archivos del complemento en todas las versiones hasta la 1.11.15 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de autor y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/google-maps-easy/tags/1.11.15/modules/icons/mod.php https://plugins.trac.wordpress.org/changeset/3105921 https://www.wordfence.com/threat-intel/vulnerabilities/id/4af9c623-1539-4afc-9dcd-3f97d29aa4f3?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Easy Google Maps plugin <= 1.11.7 versions. The Easy Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.11.7. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to call that function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is believed to be the same issue as CVE-2023-2526. • https://patchstack.com/database/vulnerability/google-maps-easy/wordpress-easy-google-maps-plugin-1-11-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

The Easy Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.11.7. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to executes AJAX actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The Easy Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.11.7. This is due to missing or incorrect nonce validation on the AJAX action handler. • https://plugins.trac.wordpress.org/browser/google-maps-easy/trunk/classes/frame.php?rev=2777743#L246 https://plugins.trac.wordpress.org/changeset/2916430 https://plugins.trac.wordpress.org/changeset/2916430/google-maps-easy/trunk/classes/frame.php?contextall=1 https://www.wordfence.com/threat-intel/vulnerabilities/id/4ea4ca00-185b-4f5d-9c5c-f81ba4edad05?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The Easy Google Maps WordPress plugin before 1.9.32 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting El plugin Easy Google Maps de WordPress versiones anteriores a 1.9.32, no escapa del parámetro tab antes de devolverlo a un atributo en el panel de administración, conllevando a un ataque de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/cba4ccdd-9331-4ca0-b910-8f427ed9b540 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

The Google Maps Easy WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/modules/marker_groups/views/tpl/mgrEditMarkerGroup.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.9.33. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. El plugin Google Maps Easy de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Almacenado debido a una comprobación insuficiente y saneamiento de entradas por medio de varios parámetros encontrados en el archivo ~/modules/marker_groups/views/tpl/mgrEditMarkerGroup.php que permitían a atacantes con acceso de usuario administrativo inyectar scripts web arbitrarios, en versiones hasta 1.9.33 incluyéndola. Esto afecta a las instalaciones multisitio en las que unfiltered_html está deshabilitado para los administradores, y a los sitios en los que unfiltered_html está deshabilitado • https://github.com/BigTiger2020/word-press/blob/main/Google%20Maps%20Easy.md https://plugins.trac.wordpress.org/changeset/2620851/google-maps-easy/trunk/modules/marker_groups/views/tpl/mgrEditMarkerGroup.php https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39346 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •