CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32970 – WordPress Themify Portfolio Post Plugin <= 1.2.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-32970
18 Apr 2023 — Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Themify Themify Portfolio Post plugin <= 1.2.4 versions. The Themify Portfolio Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Auth.... • https://patchstack.com/database/vulnerability/themify-portfolio-post/wordpress-themify-portfolio-post-plugin-1-2-2-auth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0362 – Themify Portfolio Post < 1.2.2 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0362
19 Jan 2023 — Themify Portfolio Post WordPress plugin before 1.2.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Themify Portfolio Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 1.2.1 due to insufficient input sanitization and output esc... • https://wpscan.com/vulnerability/95ee3257-cfda-480d-b3f7-28235564cf6d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4464 – Themify Portfolio Post < 1.2.1 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-4464
23 Dec 2022 — Themify Portfolio Post WordPress plugin before 1.2.1 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privileged users such as admin. El complemento Themify Portfolio Post de WordPress, en sus versiones anteriores a la 1.2.1, no valida ni escapa algunos de sus atributos antes de devolverlos a la página, lo que podr... • https://wpscan.com/vulnerability/1d3636c1-976f-4c84-8cca-413e38170d0c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0200 – Themify Portfolio Post < 1.1.7 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0200
14 Jan 2022 — Themify Portfolio Post WordPress plugin before 1.1.7 does not sanitise and escape the num_of_pages parameter before outputting it back the response of the themify_create_popup_page_pagination AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting El plugin Themify Portfolio Post de WordPress versiones anteriores a 1.1.7 no sanea ni escapa del parámetro num_of_pages antes de devolverlo a la respuesta de la acción AJAX themify_create_popup_page_pagination (disponible pa... • https://wpscan.com/vulnerability/bbc0b812-7b30-4ab4-bac8-27c706b3f146 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24129 – Themify Portfolio Post < 1.1.6 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24129
04 Dec 2020 — Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation. Una entrada no comprobada y una falta de codificación de salida en el plugin Themify Portfolio Post de WordPress, versiones anteriores a 1.1.6, conlleva ... • https://wpscan.com/vulnerability/c8537e5f-1948-418b-9d29-3cf50cd8f9a6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •