5 results (0.012 seconds)

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

The White Label CMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_plugin function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to reset plugin settings. El complemento White Label CMS para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función reset_plugin en todas las versiones hasta la 2.7.3 incluida. Esto hace posible que atacantes no autenticados restablezcan la configuración del complemento. • https://plugins.trac.wordpress.org/changeset/3082887/white-label-cms https://www.wordfence.com/threat-intel/vulnerabilities/id/13a206ea-0890-4535-9da7-54a7a45f0452?source=cve • CWE-862: Missing Authorization •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. El complemento White Label CMS de WordPress anterior a 2.5 deserializa la entrada del usuario proporcionada a través de la configuración, lo que podría permitir a los usuarios con altos privilegios, como el administrador, realizar la inyección de objetos PHP cuando hay un dispositivo adecuado presente. The White Label CMS plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.4 via deserialization of untrusted input in the legacy_import function. This allows administrator-level attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. • https://wpscan.com/vulnerability/b7707a15-0987-4051-a8ac-7be2424bcb01 • CWE-502: Deserialization of Untrusted Data •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue El plugin White Label CMS de WordPress versiones anteriores a 2.2.9, no sanea ni comprueba el parámetro wlcms[_login_custom_js] antes de devolverlo en la respuesta mientras es realizada la visualización previa, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2672615 https://wpscan.com/vulnerability/429be4eb-8a6b-4531-9465-9ef0d35c12cc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 2

Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, a related issue to CVE-2012-5387. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en wlcms-plugin.php en el plugin White Label CMS v1.5 para WordPress, permite a usuarios remotor atuenticados a inyectar secuencias de comandos web o HTML a través del parámetro wlcms_o_developer_name en una acción save sobre wp-admin/admin.php, está relacionado con CVE-2012-5387. White Label CMS version 1.5 suffers from cross site request forgery and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/22156 http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html http://wordpress.org/extend/plugins/white-label-cms/changelog http://www.exploit-db.com/exploits/22156 http://www.securityfocus.com/bid/56166 https://exchange.xforce.ibmcloud.com/vulnerabilities/79522 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.1EPSS: 0%CPEs: 17EXPL: 2

Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, as demonstrated by a developer name containing XSS sequences. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en wlcms-plugin.php en el plugin White Label CMS anteriores a v1.5.1 para WordPress, permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que piden que modifique el nombre del desarrollador a través del parámetro wlcms_o_developer_name en una acción save sobre wp-admin/admin.php, como se demostró por el nombre de desarrollador que contiene secuencias XSS. White Label CMS version 1.5 suffers from cross site request forgery and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/22156 http://osvdb.org/86568 http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html http://wordpress.org/extend/plugins/white-label-cms/changelog http://www.exploit-db.com/exploits/22156 http://www.securityfocus.com/bid/56166 https://exchange.xforce.ibmcloud.com/vulnerabilities/79520 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •