10 results (0.019 seconds)

CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1

16 Aug 2023 — The wpDataTables WordPress plugin before 2.1.66 does not validate the "Serialized PHP array" input data before deserializing the data. This allows admins to deserialize arbitrary data which may lead to remote code execution if a suitable gadget chain is present on the server. This is impactful in environments where admin users should not be allowed to execute arbitrary code, such as multisite. El complemento de WordPress wpDataTables anterior a 2.1.66 no valida los datos de entrada de la "Serialized PHP arr... • https://wpscan.com/vulnerability/1ab192d7-72ac-4f12-8a51-f28ee4db91bc • CWE-502: Deserialization of Untrusted Data •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

20 Feb 2023 — Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in TMS-Plugins wpDataTables plugin <= 2.1.49 versions. The wpDataTables plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Auth... • https://patchstack.com/database/vulnerability/wpdatatables/wordpress-wpdatatables-wordpress-tables-table-charts-plugin-plugin-2-1-49-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

06 May 2022 — Multiple Authenticated (administrator or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in TMS-Plugins wpDataTables plugin <= 2.1.27 on WordPress via &data-link-text, &data-link-url, &data, &data-shortcode, &data-star-num vulnerable parameters. Múltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) persistentes y autenticadas (administrador o rol de usuario superior) en el plugin TMS-Plugins wpDataTables versiones anteriores a 2.1.27 incluyéndola, en WordPress por medio de lo... • https://patchstack.com/database/vulnerability/wpdatatables/wordpress-wpdatatables-plugin-2-1-27-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

04 Apr 2022 — Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in wpDataTables (WordPress plugin) versions <= 2.1.27 Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Autenticado (admin+) Almacenado en wpDataTables (plugin de WordPress) versiones anteriores a 2.1.27 incluyéndola The wpDataTables plugin <= 2.1.27 is vulnerable to authenticated (admin+) Stored Cross-Site Scripting • https://patchstack.com/database/vulnerability/wpdatatables/wordpress-wpdatatables-plugin-2-1-27-stored-cross-site-scripting-xss-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

16 Mar 2021 — The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table. El plugin wpDataTables – Tables... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii • CWE-284: Improper Access Control •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

16 Mar 2021 — The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table. El plugin wpDataTables – Tables & Table Charts premium WordPress versiones anteriores... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii • CWE-284: Improper Access Control •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

16 Mar 2021 — The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application. El plugin wp DataTables – Tables & Table Charts premium WordPress versiones anteriores a 3.4.2, perm... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

16 Mar 2021 — The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application. El plugin wpDataTables – Tables & Table Charts premium WordPress versiones anteriores a 3.4.2, perm... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

16 Oct 2019 — Cross-site scripting vulnerability in wpDataTables Lite Version 2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de tipo cross-site scripting en wpDataTables Lite Versión 2.0.11 y anteriores, permite a atacantes remotos inyectar script web o HTML arbitrario por medio de vectores no especificados. • http://jvn.jp/en/jp/JVN14776551/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0

16 Oct 2019 — SQL injection vulnerability in the wpDataTables Lite Version 2.0.11 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. La vulnerabilidad de inyección SQL en wpDataTables Lite Versión 2.0.11 y anteriores, permite a atacantes autenticados remotos ejecutar comandos SQL arbitrarios por medio de vectores no especificados. • http://jvn.jp/en/jp/JVN14776551/index.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •