CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1435 – WPCargo Track & Trace < 6.9.5 - Admin+ Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-1435
25 Apr 2022 — The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitize and escapes some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. El plugin WPCargo Track & Trace de WordPress versiones anteriores a 6.9.5, no sanea y escapa de algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios, como los administradores, llevar a cabo ataques de tipo Cross-Site Scripting incl... • https://wpscan.com/vulnerability/ef5aa8a7-23a7-4ce0-bb09-d9c986386114 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1436 – WPCargo Track & Trace < 6.9.5 - Reflected Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-1436
25 Apr 2022 — The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitise and escape the wpcargo_tracking_number parameter before outputting it back in the page, which could allow attackers to perform reflected Cross-Site Scripting attacks. El plugin WPCargo Track & Trace de WordPress versiones anteriores a 6.9.5, no sanea y escapa del parámetro wpcargo_tracking_number antes de devolverlo a la página, lo que podría permitir a atacantes llevar a cabo ataques de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/d5c6f894-6ad1-46f4-bd77-17ad9234cfc3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 9%CPEs: 1EXPL: 2CVE-2021-25003 – WPCargo < 6.9.0 - Unauthenticated RCE
https://notcve.org/view.php?id=CVE-2021-25003
21 Feb 2022 — The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE El plugin WPCargo Track & Trace de WordPress versiones anteriores a 6.9.0, contiene un archivo que podría permitir a atacantes no autenticados escribir un archivo PHP en cualquier lugar del servidor web, conllevando a una vulnerabilidad de tipo RCE • https://github.com/biulove0x/CVE-2021-25003 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •