CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2024-43235 – Meta Box – WordPress Custom Fields Framework <= 5.9.10 - Missing Authorization to Information Exposure
https://notcve.org/view.php?id=CVE-2024-43235
The Meta Box – WordPress Custom Fields Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the query function called via 'ajax_get_posts' in versions up to, and including, 5.9.10. This makes it possible for authenticated attackers, with contributor-level access and above, to view arbitrary posts. • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1204 – Meta Box < 5.9.4 - Contributor+ Arbitrary Posts' Custom Field Disclosure
https://notcve.org/view.php?id=CVE-2024-1204
The Meta Box WordPress plugin before 5.9.4 does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts. El complemento Meta Box de WordPress anterior a 5.9.4 no impide que los usuarios con al menos el rol de colaborador accedan a campos personalizados arbitrarios asignados a las publicaciones de otros usuarios. The Meta Box – WordPress Custom Fields Framework plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 5.9.3. This is due to the plugin not properly restricting the post meta that can be displayed through the 'rwmb_meta' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve arbitrary post meta information. • https://wpscan.com/vulnerability/03191b00-0b05-42db-9ce2-fc525981b6c9 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6526 – Meta Box – WordPress Custom Fields Framework <= 5.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6526
The Meta Box – WordPress Custom Fields Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom post meta values displayed through the plugin's shortcode in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Meta Box – WordPress Custom Fields Framework para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de metavalores de publicación personalizados que se muestran a través del código abreviado del complemento en todas las versiones hasta la 5.9.2 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3030376%40meta-box&new=3030376%40meta-box&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/2a6bfc87-6135-4d49-baa2-e8e6291148dc?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14793 – Meta Box - WordPress Custom Fields Framework <= 4.16.2 - File Deletion via attachment_id Parameter
https://notcve.org/view.php?id=CVE-2019-14793
The Meta Box plugin before 4.16.3 for WordPress allows file deletion via ajax, with the wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id parameter. El plugin Meta Box en versiones anteriores a 4.16.3 para WordPress, permite la eliminación de archivos por medio de ajax, con el parámetro wp-admin/admin-ajax.php?action=rwmb_delete_file attachment_id. • https://metabox.io/changelog https://www.pluginvulnerabilities.com/2019/02/01/full-disclosure-of-authenticated-arbitrary-file-deletion-vulnerability-in-wordpress-plugin-with-300000-installs • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14794 – Meta Box <= 4.16.1 - Mishandling of File Upload
https://notcve.org/view.php?id=CVE-2019-14794
The Meta Box plugin before 4.16.2 for WordPress mishandles the uploading of files to custom folders. El plugin Meta Box en versiones anteriores a 4.16.2 para WordPress, maneja inapropiadamente la carga de archivos hacia carpetas personalizadas. • https://metabox.io/changelog • CWE-19: Data Processing Errors CWE-73: External Control of File Name or Path •