Search criteria
7 vulnerabilities by Delicious Brains
CVE-2023-6701 (GCVE-0-2023-6701)
Vulnerability from cvelistv5 – Published: 2024-02-05 21:22 – Updated: 2024-08-02 08:35
VLAI?
Summary
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| wpengine | Advanced Custom Fields (ACF) |
Affected:
* , ≤ 6.2.4
(semver)
|
|||||||
|
|||||||||
Credits
Francesco Carlucci
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-6701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-07T16:11:47.427245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:21:39.641Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:35:14.940Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3593dfd-7b2a-4d01-8af0-725b444dc81b?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.advancedcustomfields.com/blog/acf-6-2-5-security-release/"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3022469/advanced-custom-fields"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Advanced Custom Fields (ACF)",
"vendor": "wpengine",
"versions": [
{
"lessThanOrEqual": "6.2.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Advanced Custom Fields Pro",
"vendor": "Delicious Brains",
"versions": [
{
"lessThanOrEqual": "6.2.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-05T21:22:04.222Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3593dfd-7b2a-4d01-8af0-725b444dc81b?source=cve"
},
{
"url": "https://www.advancedcustomfields.com/blog/acf-6-2-5-security-release/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3022469/advanced-custom-fields"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-12T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-01-17T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-6701",
"datePublished": "2024-02-05T21:22:04.222Z",
"dateReserved": "2023-12-11T22:41:11.370Z",
"dateUpdated": "2024-08-02T08:35:14.940Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23183 (GCVE-0-2022-23183)
Vulnerability from cvelistv5 – Published: 2022-03-31 07:20 – Updated: 2024-08-03 03:36
VLAI?
Summary
Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission.
Severity ?
No CVSS data available.
CWE
- Missing authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Delicious Brains | Advanced Custom Fields |
Affected:
Advanced Custom Fields versions prior to 5.12.1, and Advanced Custom Fields Pro versions prior to 5.12.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:36:20.034Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.advancedcustomfields.com/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/advanced-custom-fields/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN42543427/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Advanced Custom Fields",
"vendor": "Delicious Brains",
"versions": [
{
"status": "affected",
"version": "Advanced Custom Fields versions prior to 5.12.1, and Advanced Custom Fields Pro versions prior to 5.12.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-31T07:20:54",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.advancedcustomfields.com/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/advanced-custom-fields/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN42543427/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2022-23183",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Advanced Custom Fields",
"version": {
"version_data": [
{
"version_value": "Advanced Custom Fields versions prior to 5.12.1, and Advanced Custom Fields Pro versions prior to 5.12.1"
}
]
}
}
]
},
"vendor_name": "Delicious Brains"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing authorization vulnerability in Advanced Custom Fields versions prior to 5.12.1 and Advanced Custom Fields Pro versions prior to 5.12.1 allows a remote authenticated attacker to view the information on the database without the access permission."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.advancedcustomfields.com/",
"refsource": "MISC",
"url": "https://www.advancedcustomfields.com/"
},
{
"name": "https://wordpress.org/plugins/advanced-custom-fields/",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/advanced-custom-fields/"
},
{
"name": "https://jvn.jp/en/jp/JVN42543427/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN42543427/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2022-23183",
"datePublished": "2022-03-31T07:20:54",
"dateReserved": "2022-02-18T00:00:00",
"dateUpdated": "2024-08-03T03:36:20.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20867 (GCVE-0-2021-20867)
Vulnerability from cvelistv5 – Published: 2021-12-13 06:40 – Updated: 2024-08-03 17:53
VLAI?
Summary
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- Missing authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Delicious Brains | Advanced Custom Fields and Advanced Custom Fields Pro |
Affected:
versions prior to 5.11
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.983Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.advancedcustomfields.com/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/advanced-custom-fields/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN09136401/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Advanced Custom Fields and Advanced Custom Fields Pro",
"vendor": "Delicious Brains",
"versions": [
{
"status": "affected",
"version": "versions prior to 5.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-13T06:40:16",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.advancedcustomfields.com/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/advanced-custom-fields/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN09136401/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20867",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Advanced Custom Fields and Advanced Custom Fields Pro",
"version": {
"version_data": [
{
"version_value": "versions prior to 5.11"
}
]
}
}
]
},
"vendor_name": "Delicious Brains"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in moving the field group which may allow a user to move the unauthorized field group via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.advancedcustomfields.com/",
"refsource": "MISC",
"url": "https://www.advancedcustomfields.com/"
},
{
"name": "https://wordpress.org/plugins/advanced-custom-fields/",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/advanced-custom-fields/"
},
{
"name": "https://jvn.jp/en/jp/JVN09136401/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN09136401/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20867",
"datePublished": "2021-12-13T06:40:16",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:22.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20866 (GCVE-0-2021-20866)
Vulnerability from cvelistv5 – Published: 2021-12-13 06:40 – Updated: 2024-08-03 17:53
VLAI?
Summary
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to obtain the unauthorized information via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- Missing authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Delicious Brains | Advanced Custom Fields and Advanced Custom Fields Pro |
Affected:
versions prior to 5.11
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.advancedcustomfields.com/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/advanced-custom-fields/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN09136401/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Advanced Custom Fields and Advanced Custom Fields Pro",
"vendor": "Delicious Brains",
"versions": [
{
"status": "affected",
"version": "versions prior to 5.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to obtain the unauthorized information via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-13T06:40:14",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.advancedcustomfields.com/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/advanced-custom-fields/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN09136401/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20866",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Advanced Custom Fields and Advanced Custom Fields Pro",
"version": {
"version_data": [
{
"version_value": "versions prior to 5.11"
}
]
}
}
]
},
"vendor_name": "Delicious Brains"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in obtaining the user list which may allow a user to obtain the unauthorized information via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.advancedcustomfields.com/",
"refsource": "MISC",
"url": "https://www.advancedcustomfields.com/"
},
{
"name": "https://wordpress.org/plugins/advanced-custom-fields/",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/advanced-custom-fields/"
},
{
"name": "https://jvn.jp/en/jp/JVN09136401/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN09136401/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20866",
"datePublished": "2021-12-13T06:40:14",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:22.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20865 (GCVE-0-2021-20865)
Vulnerability from cvelistv5 – Published: 2021-12-13 06:40 – Updated: 2024-08-03 17:53
VLAI?
Summary
Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse unauthorized data via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- Missing authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Delicious Brains | Advanced Custom Fields and Advanced Custom Fields Pro |
Affected:
versions prior to 5.11
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.754Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.advancedcustomfields.com/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/advanced-custom-fields/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN09136401/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Advanced Custom Fields and Advanced Custom Fields Pro",
"vendor": "Delicious Brains",
"versions": [
{
"status": "affected",
"version": "versions prior to 5.11"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse unauthorized data via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing authorization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-13T06:40:13",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.advancedcustomfields.com/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/advanced-custom-fields/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN09136401/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20865",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Advanced Custom Fields and Advanced Custom Fields Pro",
"version": {
"version_data": [
{
"version_value": "versions prior to 5.11"
}
]
}
}
]
},
"vendor_name": "Delicious Brains"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Advanced Custom Fields versions prior to 5.11 and Advanced Custom Fields Pro versions prior to 5.11 contain a missing authorization vulnerability in browsing database which may allow a user to browse unauthorized data via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.advancedcustomfields.com/",
"refsource": "MISC",
"url": "https://www.advancedcustomfields.com/"
},
{
"name": "https://wordpress.org/plugins/advanced-custom-fields/",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/advanced-custom-fields/"
},
{
"name": "https://jvn.jp/en/jp/JVN09136401/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN09136401/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20865",
"datePublished": "2021-12-13T06:40:13",
"dateReserved": "2020-12-17T00:00:00",
"dateUpdated": "2024-08-03T17:53:22.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24494 (GCVE-0-2021-24494)
Vulnerability from cvelistv5 – Published: 2021-07-06 11:03 – Updated: 2024-08-03 19:35
VLAI?
Summary
The WP Offload SES Lite WordPress plugin before 1.4.5 did not escape some of the fields in the Activity page of the admin dashboard, such as the email's id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, like the subject when filling a contact form for example. The XSS will be executed in the context of a logged in admin viewing the Activity tab of the plugin.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Delicious Brains | WP Offload SES Lite |
Affected:
1.4.5 , < 1.4.5
(custom)
|
Credits
Ionut Morosan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.203Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/8f14733e-84c3-4f7c-93f8-e27c74519160"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Offload SES Lite",
"vendor": "Delicious Brains",
"versions": [
{
"lessThan": "1.4.5",
"status": "affected",
"version": "1.4.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ionut Morosan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Offload SES Lite WordPress plugin before 1.4.5 did not escape some of the fields in the Activity page of the admin dashboard, such as the email\u0027s id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, like the subject when filling a contact form for example. The XSS will be executed in the context of a logged in admin viewing the Activity tab of the plugin."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-06T11:03:35",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/8f14733e-84c3-4f7c-93f8-e27c74519160"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WP Offload SES Lite \u003c 1.4.5 - Stored Cross-Site Scripting (XSS)",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24494",
"STATE": "PUBLIC",
"TITLE": "WP Offload SES Lite \u003c 1.4.5 - Stored Cross-Site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Offload SES Lite",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.4.5",
"version_value": "1.4.5"
}
]
}
}
]
},
"vendor_name": "Delicious Brains"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Ionut Morosan"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WP Offload SES Lite WordPress plugin before 1.4.5 did not escape some of the fields in the Activity page of the admin dashboard, such as the email\u0027s id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, like the subject when filling a contact form for example. The XSS will be executed in the context of a logged in admin viewing the Activity tab of the plugin."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/8f14733e-84c3-4f7c-93f8-e27c74519160",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/8f14733e-84c3-4f7c-93f8-e27c74519160"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24494",
"datePublished": "2021-07-06T11:03:35",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:20.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24322 (GCVE-0-2021-24322)
Vulnerability from cvelistv5 – Published: 2021-06-01 11:33 – Updated: 2024-08-03 19:28
VLAI?
Summary
The Database Backup for WordPress plugin before 2.4 did not escape the backup_recipient POST parameter in before output it back in the attribute of an HTML tag, leading to a Stored Cross-Site Scripting issue.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Delicious Brains | Database Backup for WordPress |
Affected:
2.4 , < 2.4
(custom)
|
Credits
m0ze
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/6bea6301-0762-45c3-a4eb-15d6ac4f9f37"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-04-04%5D-%5BWordPress%5D-%5BCWE-79%5D-WP-DB-Backup-WordPress-Plugin-v2.3.3.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Database Backup for WordPress",
"vendor": "Delicious Brains",
"versions": [
{
"lessThan": "2.4",
"status": "affected",
"version": "2.4",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "m0ze"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Database Backup for WordPress plugin before 2.4 did not escape the backup_recipient POST parameter in before output it back in the attribute of an HTML tag, leading to a Stored Cross-Site Scripting issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-01T11:33:31",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/6bea6301-0762-45c3-a4eb-15d6ac4f9f37"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://m0ze.ru/vulnerability/%5B2021-04-04%5D-%5BWordPress%5D-%5BCWE-79%5D-WP-DB-Backup-WordPress-Plugin-v2.3.3.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Database Backup for WordPress \u003c 2.4 - Authenticated Persistent Cross-Site Scripting (XSS)",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24322",
"STATE": "PUBLIC",
"TITLE": "Database Backup for WordPress \u003c 2.4 - Authenticated Persistent Cross-Site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Database Backup for WordPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.4",
"version_value": "2.4"
}
]
}
}
]
},
"vendor_name": "Delicious Brains"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "m0ze"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Database Backup for WordPress plugin before 2.4 did not escape the backup_recipient POST parameter in before output it back in the attribute of an HTML tag, leading to a Stored Cross-Site Scripting issue."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/6bea6301-0762-45c3-a4eb-15d6ac4f9f37",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/6bea6301-0762-45c3-a4eb-15d6ac4f9f37"
},
{
"name": "https://m0ze.ru/vulnerability/%5B2021-04-04%5D-%5BWordPress%5D-%5BCWE-79%5D-WP-DB-Backup-WordPress-Plugin-v2.3.3.txt",
"refsource": "MISC",
"url": "https://m0ze.ru/vulnerability/%5B2021-04-04%5D-%5BWordPress%5D-%5BCWE-79%5D-WP-DB-Backup-WordPress-Plugin-v2.3.3.txt"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24322",
"datePublished": "2021-06-01T11:33:31",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:28:23.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}