CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7716 – GS Logo Slider Lite < 3.6.9 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-7716
The Logo Slider WordPress plugin before 3.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/cfa67c43-6f09-43f5-9fbe-32a98a82f548 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3288 – Logo Slider < 4.0.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-3288
The Logo Slider WordPress plugin before 4.0.0 does not validate and escape some of its Slider Settings before outputting them back in attributes, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks El complemento Logo Slider de WordPress anterior a 4.0.0 no valida ni escapa algunas de sus configuraciones del control deslizante antes de devolverlas en atributos, lo que podría permitir a los usuarios con el rol de colaborador y superiores realizar ataques de Cross-Site Scripting Almacenado. The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the header and subtitle parameter in all versions up to, and including, 3.9.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/4ef99f54-68df-4353-8fc0-9b09ac0df7ba • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4664 – Logo Slider < 3.6.0 - Contributor+ Stored XSS in Shortcode
https://notcve.org/view.php?id=CVE-2022-4664
The Logo Slider WordPress plugin before 3.6.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks The Logo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via numerous shortcodes in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping in the 'lgx_output_function_dep' function. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/d6a9cfaa-d3fa-442e-a9a1-b06588723e39 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2022-1687 – Logo Slider <= 1.4.8 - Admin+ SQLi
https://notcve.org/view.php?id=CVE-2022-1687
The Logo Slider WordPress plugin through 1.4.8 does not sanitise and escape the lsp_slider_id parameter before using it in a SQL statement via the Manage Slider Images admin page, leading to an SQL Injection El plugin Logo Slider de WordPress versiones hasta 1.4.8, no sanea y escapa del parámetro lsp_slider_id antes de usarlo en una sentencia SQL por medio de la página de administración Manage Slider Images, conllevando a una inyección SQL • https://bulletin.iese.de/post/logo-slider_1-4-8 https://wpscan.com/vulnerability/e7506906-5c3d-4963-ae24-55f18c3e5081 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •