Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
14 vulnerabilities by wow-estore
CVE-2023-27452 (GCVE-0-2023-27452)
Vulnerability from nvd – Published: 2023-06-22 11:59 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Button Generator – easily Button Builder Plugin <= 2.3.3 is vulnerable to Cross Site Scripting (XSS)
Summary
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Wow-Company Button Generator – easily Button Builder plugin <= 2.3.3 versions.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/but… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wow-Company | Button Generator – easily Button Builder |
Affected:
n/a , ≤ 2.3.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:43.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/button-generation/wordpress-button-generator-plugin-2-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27452",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T17:22:12.119352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T17:22:31.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "button-generation",
"product": "Button Generator \u2013 easily Button Builder",
"vendor": "Wow-Company",
"versions": [
{
"changes": [
{
"at": "2.3.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.3.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rio Darmawan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Wow-Company Button Generator \u2013 easily Button Builder plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a02.3.3 versions.\u003c/span\u003e"
}
],
"value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Wow-Company Button Generator \u2013 easily Button Builder plugin \u003c=\u00a02.3.3 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:14.064Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/button-generation/wordpress-button-generator-plugin-2-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a02.3.4 or a higher version."
}
],
"value": "Update to\u00a02.3.4 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Button Generator \u2013 easily Button Builder Plugin \u003c= 2.3.3 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-27452",
"datePublished": "2023-06-22T11:59:18.609Z",
"dateReserved": "2023-03-01T14:31:56.747Z",
"dateUpdated": "2026-04-28T16:08:14.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-29448 (GCVE-0-2022-29448)
Vulnerability from nvd – Published: 2022-05-20 19:59 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Herd Effects plugin <= 5.2 - Local File Inclusion (LFI) vulnerability
Summary
Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Herd Effects plugin <= 5.2 at WordPress.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Local File Inclusion (LFI)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/mwp-herd-effect/#de… | x_refsource_CONFIRM |
| https://patchstack.com/database/vulnerability/mwp… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wow-Company | Herd Effects (WordPress plugin) |
Affected:
<= 5.2 , ≤ 5.2
(custom)
|
Date Public
2022-05-16 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:05.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/mwp-herd-effect/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/mwp-herd-effect/wordpress-herd-effects-plugin-5-2-local-file-inclusion-lfi-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:17:59.175147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:21:40.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Herd Effects (WordPress plugin)",
"vendor": "Wow-Company",
"versions": [
{
"lessThanOrEqual": "5.2",
"status": "affected",
"version": "\u003c= 5.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by 0xB9 (Patchstack Alliance)"
}
],
"datePublic": "2022-05-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company\u0027s Herd Effects plugin \u003c= 5.2 at WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Local File Inclusion (LFI)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:42.332Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/mwp-herd-effect/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/mwp-herd-effect/wordpress-herd-effects-plugin-5-2-local-file-inclusion-lfi-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 5.2.1 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Herd Effects plugin \u003c= 5.2 - Local File Inclusion (LFI) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-05-16T06:54:00.000Z",
"ID": "CVE-2022-29448",
"STATE": "PUBLIC",
"TITLE": "WordPress Herd Effects plugin \u003c= 5.2 - Local File Inclusion (LFI) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Herd Effects (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 5.2",
"version_value": "5.2"
}
]
}
}
]
},
"vendor_name": "Wow-Company"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by 0xB9 (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company\u0027s Herd Effects plugin \u003c= 5.2 at WordPress."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Local File Inclusion (LFI)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/mwp-herd-effect/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/mwp-herd-effect/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/mwp-herd-effect/wordpress-herd-effects-plugin-5-2-local-file-inclusion-lfi-vulnerability",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/mwp-herd-effect/wordpress-herd-effects-plugin-5-2-local-file-inclusion-lfi-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 5.2.1 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-29448",
"datePublished": "2022-05-20T19:59:37.439Z",
"dateReserved": "2022-04-18T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:42.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-29445 (GCVE-0-2022-29445)
Vulnerability from nvd – Published: 2022-05-18 16:39 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Popup Box plugin <= 2.1.2 - Authenticated Local File Inclusion (LFI) vulnerability
Summary
Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Popup Box plugin <= 2.1.2 at WordPress.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Local File Inclusion (LFI)
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/popup-box/#developers | x_refsource_CONFIRM |
| https://patchstack.com/database/vulnerability/pop… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wow-Company | Popup Box (WordPress plugin) |
Affected:
<= 2.1.2 , ≤ 2.1.2
(custom)
|
Date Public
2022-05-17 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:05.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/popup-box/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/popup-box/wordpress-popup-box-plugin-2-1-2-authenticated-local-file-inclusion-lfi-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:18:05.208580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706 Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:22:33.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Popup Box (WordPress plugin)",
"vendor": "Wow-Company",
"versions": [
{
"lessThanOrEqual": "2.1.2",
"status": "affected",
"version": "\u003c= 2.1.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by 0xB9 (Patchstack Alliance)"
}
],
"datePublic": "2022-05-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company\u0027s Popup Box plugin \u003c= 2.1.2 at WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Local File Inclusion (LFI)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:42.099Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/popup-box/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/popup-box/wordpress-popup-box-plugin-2-1-2-authenticated-local-file-inclusion-lfi-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.2 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Popup Box plugin \u003c= 2.1.2 - Authenticated Local File Inclusion (LFI) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-05-17T11:20:00.000Z",
"ID": "CVE-2022-29445",
"STATE": "PUBLIC",
"TITLE": "WordPress Popup Box plugin \u003c= 2.1.2 - Authenticated Local File Inclusion (LFI) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Popup Box (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.1.2",
"version_value": "2.1.2"
}
]
}
}
]
},
"vendor_name": "Wow-Company"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by 0xB9 (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company\u0027s Popup Box plugin \u003c= 2.1.2 at WordPress."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Local File Inclusion (LFI)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/popup-box/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/popup-box/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/popup-box/wordpress-popup-box-plugin-2-1-2-authenticated-local-file-inclusion-lfi-vulnerability",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/popup-box/wordpress-popup-box-plugin-2-1-2-authenticated-local-file-inclusion-lfi-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.2 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-29445",
"datePublished": "2022-05-18T16:39:54.226Z",
"dateReserved": "2022-04-18T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:42.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-0313 (GCVE-0-2022-0313)
Vulnerability from nvd – Published: 2022-02-21 10:46 – Updated: 2024-08-02 23:25
VLAI
Title
Float Menu < 4.3.1 - Arbitrary Menu Deletion via CSRF
Summary
The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack
Severity
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/1ce6c8f4-6f4b-4d… | x_refsource_MISC |
| https://plugins.trac.wordpress.org/changeset/2661431 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Float menu – awesome floating side menu |
Affected:
4.3.1 , < 4.3.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.041Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1ce6c8f4-6f4b-4d56-8d11-43355ef32e8c"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2661431"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Float menu \u2013 awesome floating side menu",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.3.1",
"status": "affected",
"version": "4.3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-21T10:46:15.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/1ce6c8f4-6f4b-4d56-8d11-43355ef32e8c"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2661431"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Float Menu \u003c 4.3.1 - Arbitrary Menu Deletion via CSRF",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0313",
"STATE": "PUBLIC",
"TITLE": "Float Menu \u003c 4.3.1 - Arbitrary Menu Deletion via CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Float menu \u2013 awesome floating side menu",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.3.1",
"version_value": "4.3.1"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Krzysztof Zaj\u0105c"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/1ce6c8f4-6f4b-4d56-8d11-43355ef32e8c",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/1ce6c8f4-6f4b-4d56-8d11-43355ef32e8c"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2661431",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2661431"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0313",
"datePublished": "2022-02-21T10:46:15.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:25:40.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24580 (GCVE-0-2021-24580)
Vulnerability from nvd – Published: 2021-08-30 14:11 – Updated: 2024-08-03 19:35
VLAI
Title
Side Menu Lite < 2.2.6 - Authenticated SQL Injection
Summary
The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue
Severity
No CVSS data available.
CWE
- CWE-89 - SQL Injection
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/2faccd1b-4b1c-4b… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Side Menu Lite - add sticky fixed buttons |
Affected:
2.2.6 , < 2.2.6
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/2faccd1b-4b1c-4b3e-b917-de2d05e860f8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Side Menu Lite - add sticky fixed buttons",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.2.6",
"status": "affected",
"version": "2.2.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "pang0lin@webray.com.cn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-30T14:11:22.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/2faccd1b-4b1c-4b3e-b917-de2d05e860f8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Side Menu Lite \u003c 2.2.6 - Authenticated SQL Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24580",
"STATE": "PUBLIC",
"TITLE": "Side Menu Lite \u003c 2.2.6 - Authenticated SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Side Menu Lite - add sticky fixed buttons",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.2.6",
"version_value": "2.2.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "pang0lin@webray.com.cn"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/2faccd1b-4b1c-4b3e-b917-de2d05e860f8",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/2faccd1b-4b1c-4b3e-b917-de2d05e860f8"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24580",
"datePublished": "2021-08-30T14:11:22.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:35:20.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24521 (GCVE-0-2021-24521)
Vulnerability from nvd – Published: 2021-08-09 10:04 – Updated: 2024-08-03 19:35
VLAI
Title
Side Menu Lite < 2.2.1 - Authenticated SQL Injection
Summary
The Side Menu Lite – add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack.
Severity
No CVSS data available.
CWE
- CWE-89 - SQL Injection
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/eb21ebc5-265c-43… | x_refsource_MISC |
| https://github.com/pang0lin/CVEproject/blob/main/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Side Menu Lite – add sticky fixed buttons |
Affected:
2.2.1 , < 2.2.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:19.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/eb21ebc5-265c-4378-b2c6-62f6bc2f69cd"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pang0lin/CVEproject/blob/main/wordpress_side-menu-lite_sqli.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Side Menu Lite \u2013 add sticky fixed buttons",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.2.1",
"status": "affected",
"version": "2.2.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "pang0lin @webray.com.cn inc"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Side Menu Lite \u2013 add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-09T10:04:14.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/eb21ebc5-265c-4378-b2c6-62f6bc2f69cd"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pang0lin/CVEproject/blob/main/wordpress_side-menu-lite_sqli.md"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Side Menu Lite \u003c 2.2.1 - Authenticated SQL Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24521",
"STATE": "PUBLIC",
"TITLE": "Side Menu Lite \u003c 2.2.1 - Authenticated SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Side Menu Lite \u2013 add sticky fixed buttons",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.2.1",
"version_value": "2.2.1"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "pang0lin @webray.com.cn inc"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Side Menu Lite \u2013 add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/eb21ebc5-265c-4378-b2c6-62f6bc2f69cd",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/eb21ebc5-265c-4378-b2c6-62f6bc2f69cd"
},
{
"name": "https://github.com/pang0lin/CVEproject/blob/main/wordpress_side-menu-lite_sqli.md",
"refsource": "MISC",
"url": "https://github.com/pang0lin/CVEproject/blob/main/wordpress_side-menu-lite_sqli.md"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24521",
"datePublished": "2021-08-09T10:04:14.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:35:19.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24348 (GCVE-0-2021-24348)
Vulnerability from nvd – Published: 2021-06-14 13:37 – Updated: 2024-08-03 19:28
VLAI
Title
Side Menu < 3.1.5 - Authenticated (admin+) SQL Injection
Summary
The menu delete functionality of the Side Menu – add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue
Severity
No CVSS data available.
CWE
- CWE-89 - SQL Injection
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/e0ca257e-6e78-46… | x_refsource_CONFIRM |
| https://codevigilant.com/disclosure/2021/wp-plugi… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Side Menu – add fixed side buttons |
Affected:
3.1.5 , < 3.1.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.690Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e0ca257e-6e78-4611-a9ad-be43d37cf474"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://codevigilant.com/disclosure/2021/wp-plugin-side-menu/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Side Menu \u2013 add fixed side buttons",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.1.5",
"status": "affected",
"version": "3.1.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Shreya Pohekar of Codevigilant Project"
}
],
"descriptions": [
{
"lang": "en",
"value": "The menu delete functionality of the Side Menu \u2013 add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-14T13:37:12.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/e0ca257e-6e78-4611-a9ad-be43d37cf474"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://codevigilant.com/disclosure/2021/wp-plugin-side-menu/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Side Menu \u003c 3.1.5 - Authenticated (admin+) SQL Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24348",
"STATE": "PUBLIC",
"TITLE": "Side Menu \u003c 3.1.5 - Authenticated (admin+) SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Side Menu \u2013 add fixed side buttons",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.1.5",
"version_value": "3.1.5"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Shreya Pohekar of Codevigilant Project"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The menu delete functionality of the Side Menu \u2013 add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/e0ca257e-6e78-4611-a9ad-be43d37cf474",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/e0ca257e-6e78-4611-a9ad-be43d37cf474"
},
{
"name": "https://codevigilant.com/disclosure/2021/wp-plugin-side-menu/",
"refsource": "MISC",
"url": "https://codevigilant.com/disclosure/2021/wp-plugin-side-menu/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24348",
"datePublished": "2021-06-14T13:37:12.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:23.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27452 (GCVE-0-2023-27452)
Vulnerability from cvelistv5 – Published: 2023-06-22 11:59 – Updated: 2026-04-28 16:08
VLAI
Title
WordPress Button Generator – easily Button Builder Plugin <= 2.3.3 is vulnerable to Cross Site Scripting (XSS)
Summary
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Wow-Company Button Generator – easily Button Builder plugin <= 2.3.3 versions.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/vulnerability/but… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wow-Company | Button Generator – easily Button Builder |
Affected:
n/a , ≤ 2.3.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:09:43.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/button-generation/wordpress-button-generator-plugin-2-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27452",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T17:22:12.119352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T17:22:31.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "button-generation",
"product": "Button Generator \u2013 easily Button Builder",
"vendor": "Wow-Company",
"versions": [
{
"changes": [
{
"at": "2.3.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.3.3",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rio Darmawan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Wow-Company Button Generator \u2013 easily Button Builder plugin \u003c=\u003cspan style=\"background-color: var(--wht);\"\u003e\u00a02.3.3 versions.\u003c/span\u003e"
}
],
"value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Wow-Company Button Generator \u2013 easily Button Builder plugin \u003c=\u00a02.3.3 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:14.064Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/button-generation/wordpress-button-generator-plugin-2-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a02.3.4 or a higher version."
}
],
"value": "Update to\u00a02.3.4 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Button Generator \u2013 easily Button Builder Plugin \u003c= 2.3.3 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-27452",
"datePublished": "2023-06-22T11:59:18.609Z",
"dateReserved": "2023-03-01T14:31:56.747Z",
"dateUpdated": "2026-04-28T16:08:14.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-29448 (GCVE-0-2022-29448)
Vulnerability from cvelistv5 – Published: 2022-05-20 19:59 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Herd Effects plugin <= 5.2 - Local File Inclusion (LFI) vulnerability
Summary
Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Herd Effects plugin <= 5.2 at WordPress.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Local File Inclusion (LFI)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/mwp-herd-effect/#de… | x_refsource_CONFIRM |
| https://patchstack.com/database/vulnerability/mwp… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wow-Company | Herd Effects (WordPress plugin) |
Affected:
<= 5.2 , ≤ 5.2
(custom)
|
Date Public
2022-05-16 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:05.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/mwp-herd-effect/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/mwp-herd-effect/wordpress-herd-effects-plugin-5-2-local-file-inclusion-lfi-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:17:59.175147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:21:40.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Herd Effects (WordPress plugin)",
"vendor": "Wow-Company",
"versions": [
{
"lessThanOrEqual": "5.2",
"status": "affected",
"version": "\u003c= 5.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by 0xB9 (Patchstack Alliance)"
}
],
"datePublic": "2022-05-16T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company\u0027s Herd Effects plugin \u003c= 5.2 at WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Local File Inclusion (LFI)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:42.332Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/mwp-herd-effect/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/mwp-herd-effect/wordpress-herd-effects-plugin-5-2-local-file-inclusion-lfi-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 5.2.1 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Herd Effects plugin \u003c= 5.2 - Local File Inclusion (LFI) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-05-16T06:54:00.000Z",
"ID": "CVE-2022-29448",
"STATE": "PUBLIC",
"TITLE": "WordPress Herd Effects plugin \u003c= 5.2 - Local File Inclusion (LFI) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Herd Effects (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 5.2",
"version_value": "5.2"
}
]
}
}
]
},
"vendor_name": "Wow-Company"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by 0xB9 (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated (admin or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company\u0027s Herd Effects plugin \u003c= 5.2 at WordPress."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Local File Inclusion (LFI)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/mwp-herd-effect/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/mwp-herd-effect/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/mwp-herd-effect/wordpress-herd-effects-plugin-5-2-local-file-inclusion-lfi-vulnerability",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/mwp-herd-effect/wordpress-herd-effects-plugin-5-2-local-file-inclusion-lfi-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 5.2.1 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-29448",
"datePublished": "2022-05-20T19:59:37.439Z",
"dateReserved": "2022-04-18T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:42.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-29445 (GCVE-0-2022-29445)
Vulnerability from cvelistv5 – Published: 2022-05-18 16:39 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Popup Box plugin <= 2.1.2 - Authenticated Local File Inclusion (LFI) vulnerability
Summary
Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Popup Box plugin <= 2.1.2 at WordPress.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- Local File Inclusion (LFI)
- CWE-706 - Use of Incorrectly-Resolved Name or Reference
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/popup-box/#developers | x_refsource_CONFIRM |
| https://patchstack.com/database/vulnerability/pop… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Wow-Company | Popup Box (WordPress plugin) |
Affected:
<= 2.1.2 , ≤ 2.1.2
(custom)
|
Date Public
2022-05-17 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:26:05.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/popup-box/#developers"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/popup-box/wordpress-popup-box-plugin-2-1-2-authenticated-local-file-inclusion-lfi-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:18:05.208580Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-706",
"description": "CWE-706 Use of Incorrectly-Resolved Name or Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T20:22:33.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Popup Box (WordPress plugin)",
"vendor": "Wow-Company",
"versions": [
{
"lessThanOrEqual": "2.1.2",
"status": "affected",
"version": "\u003c= 2.1.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Vulnerability discovered by 0xB9 (Patchstack Alliance)"
}
],
"datePublic": "2022-05-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company\u0027s Popup Box plugin \u003c= 2.1.2 at WordPress."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Local File Inclusion (LFI)",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:42.099Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/popup-box/#developers"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://patchstack.com/database/vulnerability/popup-box/wordpress-popup-box-plugin-2-1-2-authenticated-local-file-inclusion-lfi-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 2.2 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Popup Box plugin \u003c= 2.1.2 - Authenticated Local File Inclusion (LFI) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2022-05-17T11:20:00.000Z",
"ID": "CVE-2022-29445",
"STATE": "PUBLIC",
"TITLE": "WordPress Popup Box plugin \u003c= 2.1.2 - Authenticated Local File Inclusion (LFI) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Popup Box (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 2.1.2",
"version_value": "2.1.2"
}
]
}
}
]
},
"vendor_name": "Wow-Company"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Vulnerability discovered by 0xB9 (Patchstack Alliance)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company\u0027s Popup Box plugin \u003c= 2.1.2 at WordPress."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Local File Inclusion (LFI)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/popup-box/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/popup-box/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/popup-box/wordpress-popup-box-plugin-2-1-2-authenticated-local-file-inclusion-lfi-vulnerability",
"refsource": "CONFIRM",
"url": "https://patchstack.com/database/vulnerability/popup-box/wordpress-popup-box-plugin-2-1-2-authenticated-local-file-inclusion-lfi-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 2.2 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-29445",
"datePublished": "2022-05-18T16:39:54.226Z",
"dateReserved": "2022-04-18T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:42.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-0313 (GCVE-0-2022-0313)
Vulnerability from cvelistv5 – Published: 2022-02-21 10:46 – Updated: 2024-08-02 23:25
VLAI
Title
Float Menu < 4.3.1 - Arbitrary Menu Deletion via CSRF
Summary
The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack
Severity
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/1ce6c8f4-6f4b-4d… | x_refsource_MISC |
| https://plugins.trac.wordpress.org/changeset/2661431 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Float menu – awesome floating side menu |
Affected:
4.3.1 , < 4.3.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.041Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1ce6c8f4-6f4b-4d56-8d11-43355ef32e8c"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2661431"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Float menu \u2013 awesome floating side menu",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.3.1",
"status": "affected",
"version": "4.3.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-21T10:46:15.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/1ce6c8f4-6f4b-4d56-8d11-43355ef32e8c"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2661431"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Float Menu \u003c 4.3.1 - Arbitrary Menu Deletion via CSRF",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0313",
"STATE": "PUBLIC",
"TITLE": "Float Menu \u003c 4.3.1 - Arbitrary Menu Deletion via CSRF"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Float menu \u2013 awesome floating side menu",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "4.3.1",
"version_value": "4.3.1"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Krzysztof Zaj\u0105c"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Float menu WordPress plugin before 4.3.1 does not have CSRF check in place when deleting menu, which could allow attackers to make a logged in admin delete them via a CSRF attack"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/1ce6c8f4-6f4b-4d56-8d11-43355ef32e8c",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/1ce6c8f4-6f4b-4d56-8d11-43355ef32e8c"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2661431",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2661431"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0313",
"datePublished": "2022-02-21T10:46:15.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:25:40.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24580 (GCVE-0-2021-24580)
Vulnerability from cvelistv5 – Published: 2021-08-30 14:11 – Updated: 2024-08-03 19:35
VLAI
Title
Side Menu Lite < 2.2.6 - Authenticated SQL Injection
Summary
The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue
Severity
No CVSS data available.
CWE
- CWE-89 - SQL Injection
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/2faccd1b-4b1c-4b… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Side Menu Lite - add sticky fixed buttons |
Affected:
2.2.6 , < 2.2.6
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.253Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/2faccd1b-4b1c-4b3e-b917-de2d05e860f8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Side Menu Lite - add sticky fixed buttons",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.2.6",
"status": "affected",
"version": "2.2.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "pang0lin@webray.com.cn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-30T14:11:22.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/2faccd1b-4b1c-4b3e-b917-de2d05e860f8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Side Menu Lite \u003c 2.2.6 - Authenticated SQL Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24580",
"STATE": "PUBLIC",
"TITLE": "Side Menu Lite \u003c 2.2.6 - Authenticated SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Side Menu Lite - add sticky fixed buttons",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.2.6",
"version_value": "2.2.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "pang0lin@webray.com.cn"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/2faccd1b-4b1c-4b3e-b917-de2d05e860f8",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/2faccd1b-4b1c-4b3e-b917-de2d05e860f8"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24580",
"datePublished": "2021-08-30T14:11:22.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:35:20.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24521 (GCVE-0-2021-24521)
Vulnerability from cvelistv5 – Published: 2021-08-09 10:04 – Updated: 2024-08-03 19:35
VLAI
Title
Side Menu Lite < 2.2.1 - Authenticated SQL Injection
Summary
The Side Menu Lite – add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack.
Severity
No CVSS data available.
CWE
- CWE-89 - SQL Injection
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/eb21ebc5-265c-43… | x_refsource_MISC |
| https://github.com/pang0lin/CVEproject/blob/main/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Side Menu Lite – add sticky fixed buttons |
Affected:
2.2.1 , < 2.2.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:19.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/eb21ebc5-265c-4378-b2c6-62f6bc2f69cd"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pang0lin/CVEproject/blob/main/wordpress_side-menu-lite_sqli.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Side Menu Lite \u2013 add sticky fixed buttons",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.2.1",
"status": "affected",
"version": "2.2.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "pang0lin @webray.com.cn inc"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Side Menu Lite \u2013 add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-09T10:04:14.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/eb21ebc5-265c-4378-b2c6-62f6bc2f69cd"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pang0lin/CVEproject/blob/main/wordpress_side-menu-lite_sqli.md"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Side Menu Lite \u003c 2.2.1 - Authenticated SQL Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24521",
"STATE": "PUBLIC",
"TITLE": "Side Menu Lite \u003c 2.2.1 - Authenticated SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Side Menu Lite \u2013 add sticky fixed buttons",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.2.1",
"version_value": "2.2.1"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "pang0lin @webray.com.cn inc"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Side Menu Lite \u2013 add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/eb21ebc5-265c-4378-b2c6-62f6bc2f69cd",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/eb21ebc5-265c-4378-b2c6-62f6bc2f69cd"
},
{
"name": "https://github.com/pang0lin/CVEproject/blob/main/wordpress_side-menu-lite_sqli.md",
"refsource": "MISC",
"url": "https://github.com/pang0lin/CVEproject/blob/main/wordpress_side-menu-lite_sqli.md"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24521",
"datePublished": "2021-08-09T10:04:14.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:35:19.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24348 (GCVE-0-2021-24348)
Vulnerability from cvelistv5 – Published: 2021-06-14 13:37 – Updated: 2024-08-03 19:28
VLAI
Title
Side Menu < 3.1.5 - Authenticated (admin+) SQL Injection
Summary
The menu delete functionality of the Side Menu – add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue
Severity
No CVSS data available.
CWE
- CWE-89 - SQL Injection
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/e0ca257e-6e78-46… | x_refsource_CONFIRM |
| https://codevigilant.com/disclosure/2021/wp-plugi… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Side Menu – add fixed side buttons |
Affected:
3.1.5 , < 3.1.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.690Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/e0ca257e-6e78-4611-a9ad-be43d37cf474"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://codevigilant.com/disclosure/2021/wp-plugin-side-menu/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Side Menu \u2013 add fixed side buttons",
"vendor": "Unknown",
"versions": [
{
"lessThan": "3.1.5",
"status": "affected",
"version": "3.1.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Shreya Pohekar of Codevigilant Project"
}
],
"descriptions": [
{
"lang": "en",
"value": "The menu delete functionality of the Side Menu \u2013 add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-14T13:37:12.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/e0ca257e-6e78-4611-a9ad-be43d37cf474"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://codevigilant.com/disclosure/2021/wp-plugin-side-menu/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Side Menu \u003c 3.1.5 - Authenticated (admin+) SQL Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24348",
"STATE": "PUBLIC",
"TITLE": "Side Menu \u003c 3.1.5 - Authenticated (admin+) SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Side Menu \u2013 add fixed side buttons",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.1.5",
"version_value": "3.1.5"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Shreya Pohekar of Codevigilant Project"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The menu delete functionality of the Side Menu \u2013 add fixed side buttons WordPress plugin before 3.1.5, available to Administrator users takes the did GET parameter and uses it into an SQL statement without proper sanitisation, validation or escaping, therefore leading to a SQL Injection issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/e0ca257e-6e78-4611-a9ad-be43d37cf474",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/e0ca257e-6e78-4611-a9ad-be43d37cf474"
},
{
"name": "https://codevigilant.com/disclosure/2021/wp-plugin-side-menu/",
"refsource": "MISC",
"url": "https://codevigilant.com/disclosure/2021/wp-plugin-side-menu/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24348",
"datePublished": "2021-06-14T13:37:12.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:23.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}