CVE-2024-43303 – WordPress White Label CMS plugin <= 2.7.4 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-43303
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in videousermanuals.Com White Label CMS allows Reflected XSS.This issue affects White Label CMS: from n/a through 2.7.4. The White Label CMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/white-label-cms/wordpress-white-label-cms-plugin-2-7-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-4280 – White Label CMS <= 2.7.3 - Missing Authorization to Plugin Settings Reset
https://notcve.org/view.php?id=CVE-2024-4280
The White Label CMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_plugin function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to reset plugin settings. El complemento White Label CMS para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función reset_plugin en todas las versiones hasta la 2.7.3 incluida. Esto hace posible que atacantes no autenticados restablezcan la configuración del complemento. • https://plugins.trac.wordpress.org/changeset/3082887/white-label-cms https://www.wordfence.com/threat-intel/vulnerabilities/id/13a206ea-0890-4535-9da7-54a7a45f0452?source=cve • CWE-862: Missing Authorization •
CVE-2022-4302 – White Label CMS < 2.5 - Admin+ PHP Object Injection
https://notcve.org/view.php?id=CVE-2022-4302
The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. El complemento White Label CMS de WordPress anterior a 2.5 deserializa la entrada del usuario proporcionada a través de la configuración, lo que podría permitir a los usuarios con altos privilegios, como el administrador, realizar la inyección de objetos PHP cuando hay un dispositivo adecuado presente. The White Label CMS plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.4 via deserialization of untrusted input in the legacy_import function. This allows administrator-level attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. • https://wpscan.com/vulnerability/b7707a15-0987-4051-a8ac-7be2424bcb01 • CWE-502: Deserialization of Untrusted Data •
CVE-2022-0422 – White Label MS < 2.2.9 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0422
The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue El plugin White Label CMS de WordPress versiones anteriores a 2.2.9, no sanea ni comprueba el parámetro wlcms[_login_custom_js] antes de devolverlo en la respuesta mientras es realizada la visualización previa, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2672615 https://wpscan.com/vulnerability/429be4eb-8a6b-4531-9465-9ef0d35c12cc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •