35 matches found
WordPress WP VR Plugin <= 8.5.4 is vulnerable to Broken Access Control
Software WP VR Type Plugin Vulnerable versions = 8.5.4 Fixed in 8.5.5 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-49293 Patch priority Low CVSS severity Low 4.3 Developer WPFunnels Team PSID ece40c2ceb73 Credits Trương Hữu Phúc truonghuuphuc Required...
CVE-2024-2220
CVE-2024-2220 affects the Button contact VR WordPress plugin (versions up to 4.7). The issue is Stored XSS due to insufficient sanitisation/escaping of plugin settings, enabling high-privilege users (e.g., Administrators) to inject script, potentially in multisite setups where unfiltered_html is ...
CVE-2023-6529
The WP VR WordPress plugin before 8.3.15 does not authorisation and CSRF in a function hooked to admininit, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities...
CVE-2023-6529 WP VR < 8.3.15 - Unauthenticated Plugin Downgrade leading to XSS
The WP VR WordPress plugin before 8.3.15 does not authorisation and CSRF in a function hooked to admininit, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities...
PT-2024-14996 · WordPress · Wp Vr
Name of the Vulnerable Software and Affected Versions: WP VR WordPress plugin versions prior to 8.3.15 Description: The issue concerns a lack of authorization and CSRF protection in a function hooked to admin init, allowing unauthenticated users to downgrade the plugin. This can lead to Reflected...
WordPress WP VR Plugin <= 1.0.1 is vulnerable to Cross Site Scripting (XSS)
Software WP VR Type Plugin Vulnerable versions = 1.0.1 Fixed in 1.0.2 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority High CVSS severity High 7.1 Developer WPFunnels Team PSID de1111c82f8a Credits Rafie Muhammad Patchstack Required privilege...
CVE-2023-1414
The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours...
CVE-2023-1413 WP VR < 8.2.9 - Reflected XSS
The WP VR WordPress plugin before 8.2.9 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...
PT-2023-16966 · WordPress · Wp Vr
Name of the Vulnerable Software and Affected Versions: WP VR WordPress plugin versions prior to 8.2.9 Description: The issue is related to a Reflected Cross-Site Scripting problem. It occurs because some parameters are not properly sanitised and escaped before being outputted back in the page. Th...
WordPress WP VR Plugin < 8.2.9 is vulnerable to Cross Site Scripting (XSS)
Software WP VR Type Plugin Vulnerable versions 8.2.9 Fixed in 8.2.9 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-1413 Patch priority High CVSS severity High 7.1 Developer WPFunnels Team PSID f109d593f865 Credits Erwan LR WPScan Required privilege...
WordPress WP VR Plugin < 8.3.0 is vulnerable to Broken Access Control
Software WP VR Type Plugin Vulnerable versions 8.3.0 Fixed in 8.3.0 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-1414 Patch priority Medium CVSS severity Medium 4.3 Developer WPFunnels Team PSID 08ad2733ea1e Credits Erwan LR WPScan Required privilege...
WordPress WP VR Plugin <= 8.2.7 is vulnerable to Cross Site Request Forgery (CSRF)
Software WP VR Type Plugin Vulnerable versions = 8.2.7 Fixed in 8.2.8 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2023-25708 Patch priority Low CVSS severity Low 4.3 Developer WPFunnels Team PSID e8f1ea3c4e52 Credits Abdi Pranata Required privileg...
CVE-2023-0174
The WP VR WordPress plugin before 8.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2023-0174 WP VR < 8.2.7 - Contributor+ Stored XSS
The WP VR WordPress plugin before 8.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
WordPress WP VR Plugin < 8.2.7 is vulnerable to Cross Site Scripting (XSS)
Software WP VR Type Plugin Vulnerable versions 8.2.7 Fixed in 8.2.7 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0174 Patch priority Medium CVSS severity Medium 6.5 Developer WPFunnels Team PSID 8cc58a857921 Credits Lana Codes Required privilege...