CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34411 – WordPress canvasio3D Light plugin <= 2.5.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-34411
Unrestricted Upload of File with Dangerous Type vulnerability in Thomas Scholl canvasio3D Light.This issue affects canvasio3D Light: from n/a through 2.5.0. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Thomas Scholl canvasio3D Light. Este problema afecta a canvasio3D Light: desde n/a hasta 2.5.0. The canvasio3D Light plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/canvasio3d-light/wordpress-canvasio3d-light-plugin-2-5-0-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48776 – Download canvasio3D Light <= 2.5.0 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-48776
The Download canvasio3D Light plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on the caARConnect() function in versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve data from the plugin and save/delete entries. • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45062 – WordPress Download canvasio3D Light Plugin <= 2.4.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-45062
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Thomas Scholl canvasio3D Light plugin <= 2.4.6 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada en el complemento Thomas Scholl canvasio3D Light en versiones <= 2.4.6. The Download canvasio3D Light plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/canvasio3d-light/wordpress-canvasio3d-light-plugin-2-4-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •