Sticky Header Security Vulnerabilities - November
The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme β myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, whi...
4.8CVSS
4.9AI Score
0.001EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Oceanwp sticky header plugin <= 1.0.8 on WordPress.
6.5CVSS
6.6AI Score
0.001EPSS
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OceanWP allows PHP Local File Inclusion.This issue affects OceanWP: from n/a through 3.4.1.
7.6CVSS
6.8AI Score
0.0004EPSS
The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions.
5.4CVSS
5.4AI Score
0.0004EPSS
The OceanWP theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_theme_panel_pane function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose sen...
4.3CVSS
8.7AI Score
0.0004EPSS
The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_htm...
4.8CVSS
6.1AI Score
0.0004EPSS
The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.3 does not validate and escape some of its settings before outputting them back in the page, which could allow users with a high role to perform Stored Cross-Site Scripti...
4.8CVSS
5.7AI Score
0.0004EPSS