Search criteria
9 vulnerabilities found for rock_convert by rockcontent
FKIE_CVE-2022-36428
Vulnerability from fkie_nvd - Published: 2022-11-03 20:15 - Updated: 2024-11-21 07:12
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Stage Rock Convert plugin <= 2.11.0 on WordPress.
References
| URL | Tags | ||
|---|---|---|---|
| audit@patchstack.com | https://patchstack.com/database/vulnerability/rock-convert/wordpress-rock-convert-plugin-2-11-0-auth-cross-site-scripting-xss-vulnerability?_s_id=cve | Third Party Advisory | |
| audit@patchstack.com | https://wordpress.org/plugins/rock-convert/ | Product, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://patchstack.com/database/vulnerability/rock-convert/wordpress-rock-convert-plugin-2-11-0-auth-cross-site-scripting-xss-vulnerability?_s_id=cve | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wordpress.org/plugins/rock-convert/ | Product, Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rockcontent | rock_convert | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rockcontent:rock_convert:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "EAEEAC7E-0933-44ED-9FF6-6C69C8BA259A",
"versionEndIncluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Stage Rock Convert plugin \u003c= 2.11.0 on WordPress."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) autenticado (con permisos de admin o superiores) en el complemento Stage Rock Convert en WordPress en versiones \u0026lt;= 2.11.0."
}
],
"id": "CVE-2022-36428",
"lastModified": "2024-11-21T07:12:59.390",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-03T20:15:29.373",
"references": [
{
"source": "audit@patchstack.com",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/rock-convert/wordpress-rock-convert-plugin-2-11-0-auth-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"source": "audit@patchstack.com",
"tags": [
"Product",
"Release Notes",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/rock-convert/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://patchstack.com/database/vulnerability/rock-convert/wordpress-rock-convert-plugin-2-11-0-auth-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Release Notes",
"Third Party Advisory"
],
"url": "https://wordpress.org/plugins/rock-convert/"
}
],
"sourceIdentifier": "audit@patchstack.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "audit@patchstack.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-3440
Vulnerability from fkie_nvd - Published: 2022-10-31 16:15 - Updated: 2025-05-06 20:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape an URL before outputting it back in an attribute when a specific widget is present on a page, leading to a Reflected Cross-Site Scripting
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/e39fcf30-1e69-4399-854c-4c5b6ccc22a2 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/e39fcf30-1e69-4399-854c-4c5b6ccc22a2 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rockcontent | rock_convert | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rockcontent:rock_convert:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "33D653C5-4826-499D-B13A-7C4B4838A5CD",
"versionEndExcluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape an URL before outputting it back in an attribute when a specific widget is present on a page, leading to a Reflected Cross-Site Scripting"
},
{
"lang": "es",
"value": "El complemento Rock Convert WordPress anterior a 2.11.0 no sanitiza ni escapa una URL antes de mostrarla nuevamente en un atributo cuando un widget espec\u00edfico est\u00e1 presente en una p\u00e1gina, lo que generando Reflected Cross-Site Scripting\n"
}
],
"id": "CVE-2022-3440",
"lastModified": "2025-05-06T20:15:23.097",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-10-31T16:15:11.723",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/e39fcf30-1e69-4399-854c-4c5b6ccc22a2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/e39fcf30-1e69-4399-854c-4c5b6ccc22a2"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-3441
Vulnerability from fkie_nvd - Published: 2022-10-31 16:15 - Updated: 2025-05-06 20:15
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
References
| URL | Tags | ||
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/7b51b1f0-17ca-46b7-ada1-20bd926f3023 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/7b51b1f0-17ca-46b7-ada1-20bd926f3023 | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rockcontent | rock_convert | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rockcontent:rock_convert:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "33D653C5-4826-499D-B13A-7C4B4838A5CD",
"versionEndExcluding": "2.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
},
{
"lang": "es",
"value": "El complemento Rock Convert WordPress anterior a 2.11.0 no sanitiza y escapa a algunas de sus configuraciones, lo que podr\u00eda permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Stored Cross-Site Scripting incluso cuando la capacidad unfiltered_html no est\u00e1 permitida (por ejemplo, en una configuraci\u00f3n multisitio).\n"
}
],
"id": "CVE-2022-3441",
"lastModified": "2025-05-06T20:15:23.280",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-10-31T16:15:11.787",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/7b51b1f0-17ca-46b7-ada1-20bd926f3023"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/7b51b1f0-17ca-46b7-ada1-20bd926f3023"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "contact@wpscan.com",
"type": "Secondary"
}
]
}
CVE-2022-36428 (GCVE-0-2022-36428)
Vulnerability from cvelistv5 – Published: 2022-11-03 19:22 – Updated: 2025-02-20 19:57
VLAI?
Title
WordPress Rock Convert plugin <= 2.11.0 - Auth. Cross-Site Scripting (XSS) vulnerability
Summary
Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Stage Rock Convert plugin <= 2.11.0 on WordPress.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Stage | Rock Convert (WordPress plugin) |
Affected:
<= 2.11.0 , ≤ 2.11.0
(custom)
|
Credits
Vulnerability discovered by Mika (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:07:34.353Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/rock-convert/wordpress-rock-convert-plugin-2-11-0-auth-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/rock-convert/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:22:10.353509Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:57:11.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rock Convert (WordPress plugin)",
"vendor": "Stage",
"versions": [
{
"lessThanOrEqual": "2.11.0",
"status": "affected",
"version": "\u003c= 2.11.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Mika (Patchstack Alliance)"
}
],
"datePublic": "2022-10-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Stage Rock Convert plugin \u003c= 2.11.0 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-03T00:00:00.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/rock-convert/wordpress-rock-convert-plugin-2-11-0-auth-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"url": "https://wordpress.org/plugins/rock-convert/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 3.0.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Rock Convert plugin \u003c= 2.11.0 - Auth. Cross-Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-36428",
"datePublished": "2022-11-03T19:22:18.187Z",
"dateReserved": "2022-08-09T00:00:00.000Z",
"dateUpdated": "2025-02-20T19:57:11.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3440 (GCVE-0-2022-3440)
Vulnerability from cvelistv5 – Published: 2022-10-31 00:00 – Updated: 2025-05-06 20:09
VLAI?
Title
Rock Convert < 2.6.0 - Reflected Cross-Site Scripting
Summary
The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape an URL before outputting it back in an attribute when a specific widget is present on a page, leading to a Reflected Cross-Site Scripting
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-Site Scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Rock Convert |
Affected:
2.11.0 , < 2.11.0
(custom)
|
Credits
José Ricardo
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e39fcf30-1e69-4399-854c-4c5b6ccc22a2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3440",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T20:08:43.632280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T20:09:09.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rock Convert",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.11.0",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jos\u00e9 Ricardo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape an URL before outputting it back in an attribute when a specific widget is present on a page, leading to a Reflected Cross-Site Scripting"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/e39fcf30-1e69-4399-854c-4c5b6ccc22a2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Rock Convert \u003c 2.6.0 - Reflected Cross-Site Scripting",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3440",
"datePublished": "2022-10-31T00:00:00.000Z",
"dateReserved": "2022-10-10T00:00:00.000Z",
"dateUpdated": "2025-05-06T20:09:09.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3441 (GCVE-0-2022-3441)
Vulnerability from cvelistv5 – Published: 2022-10-31 00:00 – Updated: 2025-05-06 20:06
VLAI?
Title
Rock Convert < 2.11.0 - Admin+ Stored Cross-Site Scripting
Summary
The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Cross-Site Scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Rock Convert |
Affected:
2.11.0 , < 2.11.0
(custom)
|
Credits
José Ricardo
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.609Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/7b51b1f0-17ca-46b7-ada1-20bd926f3023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3441",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T20:05:40.429568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T20:06:09.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rock Convert",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.11.0",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jos\u00e9 Ricardo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/7b51b1f0-17ca-46b7-ada1-20bd926f3023"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Rock Convert \u003c 2.11.0 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3441",
"datePublished": "2022-10-31T00:00:00.000Z",
"dateReserved": "2022-10-10T00:00:00.000Z",
"dateUpdated": "2025-05-06T20:06:09.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36428 (GCVE-0-2022-36428)
Vulnerability from nvd – Published: 2022-11-03 19:22 – Updated: 2025-02-20 19:57
VLAI?
Title
WordPress Rock Convert plugin <= 2.11.0 - Auth. Cross-Site Scripting (XSS) vulnerability
Summary
Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Stage Rock Convert plugin <= 2.11.0 on WordPress.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Stage | Rock Convert (WordPress plugin) |
Affected:
<= 2.11.0 , ≤ 2.11.0
(custom)
|
Credits
Vulnerability discovered by Mika (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:07:34.353Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/rock-convert/wordpress-rock-convert-plugin-2-11-0-auth-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/rock-convert/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36428",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:22:10.353509Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:57:11.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rock Convert (WordPress plugin)",
"vendor": "Stage",
"versions": [
{
"lessThanOrEqual": "2.11.0",
"status": "affected",
"version": "\u003c= 2.11.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by Mika (Patchstack Alliance)"
}
],
"datePublic": "2022-10-13T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Stage Rock Convert plugin \u003c= 2.11.0 on WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-03T00:00:00.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"url": "https://patchstack.com/database/vulnerability/rock-convert/wordpress-rock-convert-plugin-2-11-0-auth-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"url": "https://wordpress.org/plugins/rock-convert/"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 3.0.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Rock Convert plugin \u003c= 2.11.0 - Auth. Cross-Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-36428",
"datePublished": "2022-11-03T19:22:18.187Z",
"dateReserved": "2022-08-09T00:00:00.000Z",
"dateUpdated": "2025-02-20T19:57:11.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3440 (GCVE-0-2022-3440)
Vulnerability from nvd – Published: 2022-10-31 00:00 – Updated: 2025-05-06 20:09
VLAI?
Title
Rock Convert < 2.6.0 - Reflected Cross-Site Scripting
Summary
The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape an URL before outputting it back in an attribute when a specific widget is present on a page, leading to a Reflected Cross-Site Scripting
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Cross-Site Scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Rock Convert |
Affected:
2.11.0 , < 2.11.0
(custom)
|
Credits
José Ricardo
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e39fcf30-1e69-4399-854c-4c5b6ccc22a2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3440",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T20:08:43.632280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T20:09:09.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rock Convert",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.11.0",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jos\u00e9 Ricardo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape an URL before outputting it back in an attribute when a specific widget is present on a page, leading to a Reflected Cross-Site Scripting"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/e39fcf30-1e69-4399-854c-4c5b6ccc22a2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Rock Convert \u003c 2.6.0 - Reflected Cross-Site Scripting",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3440",
"datePublished": "2022-10-31T00:00:00.000Z",
"dateReserved": "2022-10-10T00:00:00.000Z",
"dateUpdated": "2025-05-06T20:09:09.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3441 (GCVE-0-2022-3441)
Vulnerability from nvd – Published: 2022-10-31 00:00 – Updated: 2025-05-06 20:06
VLAI?
Title
Rock Convert < 2.11.0 - Admin+ Stored Cross-Site Scripting
Summary
The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Cross-Site Scripting (XSS)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Rock Convert |
Affected:
2.11.0 , < 2.11.0
(custom)
|
Credits
José Ricardo
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:07:06.609Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/7b51b1f0-17ca-46b7-ada1-20bd926f3023"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3441",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-06T20:05:40.429568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-06T20:06:09.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Rock Convert",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.11.0",
"status": "affected",
"version": "2.11.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jos\u00e9 Ricardo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Rock Convert WordPress plugin before 2.11.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-31T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/7b51b1f0-17ca-46b7-ada1-20bd926f3023"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Rock Convert \u003c 2.11.0 - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3441",
"datePublished": "2022-10-31T00:00:00.000Z",
"dateReserved": "2022-10-10T00:00:00.000Z",
"dateUpdated": "2025-05-06T20:06:09.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}