CVE-2022-3506 – Cross-site Scripting (XSS) - Stored in barrykooij/related-posts-for-wp
https://notcve.org/view.php?id=CVE-2022-3506
Cross-site Scripting (XSS) - Stored in GitHub repository barrykooij/related-posts-for-wp prior to 2.1.3. Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Almacenado en el repositorio de GitHub barrykooij/related-posts-for-wp versiones anteriores a 2.1.3 The Related Posts for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘heading_text’ parameter in versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note, this vulnerability was independently found by two researchers. • https://github.com/barrykooij/related-posts-for-wp/commit/37733398dd88863fc0bdb3d6d378598429fd0b81 https://huntr.dev/bounties/08251542-88f6-4264-9074-a89984034828 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-24482 – Related Posts for WordPress <= 2.0.4 - Authenticated Stored XSS & XFS
https://notcve.org/view.php?id=CVE-2021-24482
The Related Posts for WordPress plugin through 2.0.4 does not sanitise its heading_text and CSS settings, allowing high privilege users (admin) to set XSS payloads in them, leading to Stored Cross-Site Scripting issues. El plugin Related Posts para WordPress versiones hasta 2.0.4, no sanea sus ajustes heading_text y CSS, permitiendo a usuarios con privilegios elevados (admin) establecer cargas útiles XSS en ellos, lo que conlleva a problemas de tipo Cross-Site Scripting Almacenado • https://m0ze.ru/vulnerability/%5B2021-04-18%5D-%5BWordPress%5D-%5BCWE-79%5D-Related-Posts-for-WordPress-WordPress-Plugin-v2.0.4.txt https://wpscan.com/vulnerability/2f86e418-22fd-4cb8-8de1-062b17cf20a7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-24180 – Related Posts for WordPress < 2.0.4 - Authenticated Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24180
Unvalidated input and lack of output encoding within the Related Posts for WordPress plugin before 2.0.4 lead to a Reflected Cross-Site Scripting (XSS) vulnerability within the 'lang' GET parameter while editing a post, triggered when users with the capability of editing posts access a malicious URL. Una entrada no comprobada y una falta de codificación de la salida dentro del plugin Related Posts para WordPress versiones anteriores a 2.0.4, conllevan a una vulnerabilidad de tipo Cross-Site Scripting (XSS) reflejado dentro del parámetro GET "lang" al editar una publicación, desencadenándose cuando unos usuarios presentan la capacidad de editar publicaciones que acceden a una URL maliciosa • https://wpscan.com/vulnerability/7593d5c8-cbc2-4469-b36b-5d4fb6d49718 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-9361 – Related Posts <= 1.8.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-9361
The Related Posts plugin before 1.8.2 for WordPress has XSS via add_query_arg() and remove_query_arg(). El plugin Related Posts versiones anteriores a 1.8.2 para WordPress, tiene una vulnerabilidad de tipo XSS por medio de las funciones add_query_arg() y remove_query_arg(). • https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html https://www.barrykooij.com/several-security-updates-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-3476 – Related Posts < 2.7.2 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2013-3476
Cross-site request forgery (CSRF) vulnerability in the WordPress Related Posts plugin before 2.6.2 for WordPress allows remote attackers to hijack the authentication of users for requests that change settings via unspecified vectors. Vulnerabilidad de CSRF en el plugin WordPress Related Posts anterior a 2.6.2 para WordPress permite a atacantes remotos secuestrar la autenticación de usuarios para solicitudes que cambian configuraciones a través de vectores no especificados. Cross-site request forgery (CSRF) vulnerability in the WordPress Related Posts plugin before 2.7.2 for WordPress allows remote attackers to hijack the authentication of users for requests that change settings via unspecified vectors. • http://secunia.com/advisories/53279 http://wordpress.org/plugins/wordpress-23-related-posts-plugin/changelog http://www.securityfocus.com/bid/59839 https://exchange.xforce.ibmcloud.com/vulnerabilities/84247 • CWE-352: Cross-Site Request Forgery (CSRF) •