CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9828 – Taskbuilder < 3.0.5 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2024-9828
The Taskbuilder WordPress plugin before 3.0.5 does not sanitize user input into the 'load_orders' parameter and uses it in a SQL statement, allowing high privilege users such as admin to perform SQL Injection attacks • https://wpscan.com/vulnerability/eb2d0932-fd47-4aef-9d08-4377c742bb6e •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3137 – TaskBuilder < 1.0.8 - Subscriber+ Stored XSS via SVG file upload
https://notcve.org/view.php?id=CVE-2022-3137
The Taskbuilder WordPress plugin before 1.0.8 does not validate and sanitise task's attachments, which could allow any authenticated user (such as subscriber) creating a task to perform Stored Cross-Site Scripting by attaching a malicious SVG file El plugin Taskbuilder de WordPress versiones anteriores a 1.0.8, no comprueba ni sanea los archivos adjuntos de las tareas, lo que podría permitir a cualquier usuario autenticado (como un suscriptor) que cree una tarea llevar a cabo ataques de tipo Cross-Site Scripting Almacenado al adjuntar un archivo SVG malicioso The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts into SVG files that are uploaded as part of the task creation process and that will execute whenever a user accesses an injected page or access such an SVG file directly. • https://wpscan.com/vulnerability/524928d6-d4e9-4a2f-b410-46958da549d8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •