CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25597 – WordPress Ultimate Reviews plugin <= 3.2.8 - Unauthenticated Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-25597
12 Feb 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Etoile Web Design Ultimate Reviews allows Stored XSS.This issue affects Ultimate Reviews: from n/a through 3.2.8. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Etoile Web Design Ultimate Reviews permite almacenar XSS. Este problema afecta a Ultimate Reviews: desde n/a hasta 3.2.8. The Ultimate Reviews plugin for WordPress is vul... • https://patchstack.com/database/vulnerability/ultimate-reviews/wordpress-ultimate-reviews-plugin-3-2-8-unauthenticated-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23979 – WordPress Ultimate Reviews plugin <= 3.0.15 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-23979
06 Jan 2022 — Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability discovered in Ultimate Reviews WordPress plugin (versions <= 3.0.15). Se ha detectado una vulnerabilidad de tipo Cross-Site Scripting (XSS) autenticado (admin+) en el plugin Ultimate Reviews de WordPress (versiones anteriores a 3.0.15 incluyéndola) • https://patchstack.com/database/vulnerability/ultimate-reviews/wordpress-ultimate-reviews-plugin-3-0-15-authenticated-stored-cross-site-scripting-xss-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36726 – Ultimate Reviews < 2.1.33 - PHP Object Injection
https://notcve.org/view.php?id=CVE-2020-36726
10 Nov 2020 — The Ultimate Reviews plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.1.32 via deserialization of untrusted input in several vulnerable functions. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. • https://blog.nintechnet.com/wordpress-ultimate-reviews-plugin-fixed-insecure-deserialization-vulnerability • CWE-502: Deserialization of Untrusted Data •