CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-5765 – WpStickyBar <= 2.1.0 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2024-5765
09 Jul 2024 — The WpStickyBar WordPress plugin through 2.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection The WpStickyBar – Sticky Bar, Sticky Header plugin for WordPress is vulnerable to SQL Injection via the 'banner_id' parameter of the 'stickybar_display' AJAX action in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient prepar... • https://wpscan.com/vulnerability/0b73f84c-611e-4681-b362-35e721478ba4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6226 – WpStickyBar <= 2.1.0 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-6226
09 Jul 2024 — The WpStickyBar WordPress plugin through 2.1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The WpStickyBar – Sticky Bar, Sticky Header plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthentic... • https://wpscan.com/vulnerability/e42ce8dc-51d4-471d-b3bb-ad2a6b735d02 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •