CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3630 – HL Twitter <= 2014.1.18 - Admin+ Stored XSS via Widget
https://notcve.org/view.php?id=CVE-2024-3630
The HL Twitter WordPress plugin through 2014.1.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El complemento HL Twitter WordPress hasta 2014.1.18 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en una configuración multisitio). The HL Twitter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2014.1.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/cbab7639-fdb2-4ee5-b5ca-9e30701a63b7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3629 – HL Twitter <= 2014.1.18 - Settings Update via CSRF
https://notcve.org/view.php?id=CVE-2024-3629
The HL Twitter WordPress plugin through 2014.1.18 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack El complemento HL Twitter WordPress hasta la versión 2014.1.18 no tiene activada la verificación CSRF al actualizar su configuración, lo que podría permitir a los atacantes hacer que un administrador que haya iniciado sesión los cambie mediante un ataque CSRF. The HL Twitter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2014.1.18. This is due to missing or incorrect nonce validation on the hl_twitter_settings page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/c1f6ed2c-0f84-4b13-b39e-5cb91443c2b1 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3631 – HL Twitter <= 2014.1.18 - Unlink Twitter Account via CSRF
https://notcve.org/view.php?id=CVE-2024-3631
The HL Twitter WordPress plugin through 2014.1.18 does not have CSRF check when unlinking twitter accounts, which could allow attackers to make logged in admins perform such actions via a CSRF attack El complemento HL Twitter WordPress hasta 2014.1.18 no tiene verificación CSRF al desvincular cuentas de Twitter, lo que podría permitir a los atacantes hacer que los administradores registrados realicen tales acciones a través de un ataque CSRF. The HL Twitter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2014.1.18. This is due to missing or incorrect nonce validation on the hl_twitter_settings page. This makes it possible for unauthenticated attackers to unlink a Twitter account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/c59a8b49-6f3e-452b-ba9b-50b80c522ee9 • CWE-352: Cross-Site Request Forgery (CSRF) •