CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7879 – WP ULike < 4.7.5 - Admin+ Stored XSS via Widgets
https://notcve.org/view.php?id=CVE-2024-7879
The WP ULike WordPress plugin before 4.7.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed • https://wpscan.com/vulnerability/5ad1c40a-5e13-40b6-8652-c23a1f39abc2 •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7878 – WP ULike < 4.7.4 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-7878
The WP ULike WordPress plugin before 4.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The WP ULike – The Ultimate Engagement Toolkit for Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/9166cf91-69e5-4786-a6a9-816db7d47b07 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6792 – WP ULike < 4.7.2.1 - Subscriber+ Stored-XSS
https://notcve.org/view.php?id=CVE-2024-6792
The WP ULike WordPress plugin before 4.7.2.1 does not properly sanitize user display names when rendering on a public page. The WP ULike – The Ultimate Engagement Toolkit for Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the first name field in versions 4.7.1 to 4.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/3c470edd-4b9b-461e-839f-f3a87f0060aa • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •