Search criteria
3 vulnerabilities by devpups
CVE-2024-10145 (GCVE-0-2024-10145)
Vulnerability from cvelistv5 – Published: 2025-05-15 20:06 – Updated: 2025-05-20 15:48
VLAI?
Title
Hubbub Lite < 1.34.4 - Admin+ Stored XSS
Summary
The Hubbub Lite WordPress plugin before 1.34.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity ?
4.8 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Hubbub Lite |
Affected:
0 , < 1.34.4
(semver)
|
Credits
Krugov Artyom
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-10145",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-20T15:46:48.562048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-20T15:48:23.514Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://wpscan.com/vulnerability/b9e2381b-3ea0-48fa-bd9c-4181ddf36389/"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hubbub Lite",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.34.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krugov Artyom"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hubbub Lite WordPress plugin before 1.34.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T20:06:41.838Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/b9e2381b-3ea0-48fa-bd9c-4181ddf36389/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hubbub Lite \u003c 1.34.4 - Admin+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-10145",
"datePublished": "2025-05-15T20:06:41.838Z",
"dateReserved": "2024-10-18T18:25:06.959Z",
"dateUpdated": "2025-05-20T15:48:23.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1526 (GCVE-0-2024-1526)
Vulnerability from cvelistv5 – Published: 2024-04-01 05:00 – Updated: 2025-03-20 19:22
VLAI?
Title
Hubbub Lite < 1.33.1 - Unauthenticated Password Protected Posts Access
Summary
The Hubbub Lite WordPress plugin before 1.33.1 does not ensure that user have access to password protected post before displaying its content in a meta tag.
Severity ?
5.3 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Hubbub Lite |
Affected:
0 , < 1.33.1
(semver)
|
Credits
Krzysztof Zając (CERT PL)
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-1526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-04T15:31:53.876837Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T19:22:49.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:21.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1664697e-0ea3-4d09-b2fd-153a104ec255/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hubbub Lite ",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.33.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c (CERT PL)"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hubbub Lite WordPress plugin before 1.33.1 does not ensure that user have access to password protected post before displaying its content in a meta tag."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T05:00:01.259Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/1664697e-0ea3-4d09-b2fd-153a104ec255/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Hubbub Lite \u003c 1.33.1 - Unauthenticated Password Protected Posts Access",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-1526",
"datePublished": "2024-04-01T05:00:01.259Z",
"dateReserved": "2024-02-15T08:48:52.291Z",
"dateUpdated": "2025-03-20T19:22:49.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10736 (GCVE-0-2016-10736)
Vulnerability from cvelistv5 – Published: 2019-01-09 23:00 – Updated: 2024-08-06 03:30
VLAI?
Summary
The "Social Pug - Easy Social Share Buttons" plugin before 1.2.6 for WordPress allows XSS via the wp-admin/admin.php?page=dpsp-toolkit dpsp_message_class parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:30:20.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisories.dxw.com/advisories/reflected-xss-in-social-pug-easy-social-share-buttons-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-01-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The \"Social Pug - Easy Social Share Buttons\" plugin before 1.2.6 for WordPress allows XSS via the wp-admin/admin.php?page=dpsp-toolkit dpsp_message_class parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-09T23:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisories.dxw.com/advisories/reflected-xss-in-social-pug-easy-social-share-buttons-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10736",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The \"Social Pug - Easy Social Share Buttons\" plugin before 1.2.6 for WordPress allows XSS via the wp-admin/admin.php?page=dpsp-toolkit dpsp_message_class parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://advisories.dxw.com/advisories/reflected-xss-in-social-pug-easy-social-share-buttons-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/",
"refsource": "MISC",
"url": "https://advisories.dxw.com/advisories/reflected-xss-in-social-pug-easy-social-share-buttons-could-allow-an-attacker-to-do-almost-anything-an-admin-user-can/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10736",
"datePublished": "2019-01-09T23:00:00",
"dateReserved": "2019-01-09T00:00:00",
"dateUpdated": "2024-08-06T03:30:20.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}