5 matches found
CVE-2019-17233
The CVE affects WordPress plugin Ultimate FAQ (WordPress) up to version 1.8.24. The vulnerability originates in Functions/EWD_UFAQ_Import.php, allowing unauthenticated HTML content injection during FAQ import, potentially exposing malicious content to site visitors. Exploitation details are not p...
CVE-2019-17232
CVE-2019-17232 affects the WordPress plugin Ultimate FAQs up to version 1.8.24. The vulnerability occurs in Functions/EWD_UFAQ_Import.php, allowing unauthenticated users to import options (and, per related sources, potentially export/import configurations) without authentication. This can enable ...
CVE-2020-7107
The WordPress plugin Ultimate FAQ (WordPress plugin) prior to version 1.8.30 is vulnerable to Cross-Site Scripting (XSS) via the Display_FAQ parameter routed through Shortcodes/DisplayFAQs.php. The issue stems from insufficient sanitization of the Display_FAQ GET parameter, enabling an attacker t...
CVE-2021-24968
The CVE-2021-24968 affects the WordPress Ultimate FAQ plugin (versions prior to 2.1.2). The issue is a lack of capability and CSRF checks in the AJAX actions ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page, making them accessible to any authenticated user (down to Subscriber). This can...
CVE-2019-15643
CVE-2019-15643 affects the WordPress Ultimate FAQ plugin, specifically versions before 1.8.22, with a cross-site scripting (XSS) vulnerability. The root cause and exact exploitation details are not provided in the connected documents, but multiple sources corroborate the XSS risk in this plugin. ...