CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10172 – WPBakery Visual Composer WHMCS Elements <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via void_wbwhmcse_laouts_search Shortcode
https://notcve.org/view.php?id=CVE-2024-10172
20 Nov 2024 — The WPBakery Visual Composer WHMCS Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's void_wbwhmcse_laouts_search shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://www.wordfence.com/threat-intel/vulnerabilities/id/cc4b52c6-1ac2-4f90-a776-c91232f5de34?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5419 – Void Contact Form 7 Widget For Elementor Page Builder <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via cf7_redirect_page Attribute
https://notcve.org/view.php?id=CVE-2024-5419
01 Jul 2024 — The Void Contact Form 7 Widget For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cf7_redirect_page' attribute within the plugin's Void Contact From 7 widget in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user acces... • https://plugins.trac.wordpress.org/browser/cf7-widget-elementor/tags/2.4/widgets/void-section-cf7.php#L1672 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47166 – WordPress Void Contact Form 7 Widget For Elementor Page Builder Plugin <= 2.1.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47166
12 Feb 2023 — Cross-Site Request Forgery (CSRF) vulnerability in voidCoders Void Contact Form 7 Widget For Elementor Page Builder plugin <= 2.1.1 versions. The Void Contact Form 7 Widget For Elementor Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the void_cf7_opt_in_user_data_track function via the admin_notices action. This makes it possible for unauthenticated attackers to perform an unauthor... • https://patchstack.com/database/vulnerability/cf7-widget-elementor/wordpress-void-contact-form-7-widget-for-elementor-page-builder-plugin-2-1-1-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •