4 results (0.020 seconds)

CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 1

The SportsPress WordPress plugin before 2.7.22 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/76c78f8e-e3da-47d9-9bf4-70e9dd125b82 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0

Missing Authorization vulnerability in ThemeBoy SportsPress – Sports Club & League Manager.This issue affects SportsPress – Sports Club & League Manager: from n/a through 2.7.20. Vulnerabilidad de autorización faltante en ThemeBoy SportsPress – Sports Club & League Manager. Este problema afecta a SportsPress – Sports Club & League Manager: desde n/a hasta 2.7.20. The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the add_notices() function in versions up to, and including, 2.7.20. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices. • https://patchstack.com/database/vulnerability/sportspress/wordpress-sportspress-sports-club-league-manager-plugin-2-7-20-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue El plugin SportsPress de WordPress versiones anteriores a 2.7.9, no sanea y escapa de su parámetro match_day antes de devolverlo a la página del backend de Eventos, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/69351798-c790-42d4-9485-1813cd325769 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

The SportsPress plugin before 2.7.2 for WordPress allows XSS. El plugin SportsPress versiones anteriores a 2.7.2 para WordPress, permite un ataque de tipo XSS • https://wpvulndb.com/vulnerabilities/10257 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •