V35HR4J

5 exploits Active since Oct 2021
CVE-2022-1597 NOMISEC MEDIUM WORKING POC
2code Wpqa Builder < 5.4 - XSS
The WPQA Builder WordPress plugin before 5.4, used as a companion for the Discy and Himer , does not sanitise and escape a parameter on its reset password form which makes it possible to perform Reflected Cross-Site Scripting attacks
4 stars
CVSS 6.1
CVE-2022-1051 NOMISEC MEDIUM WRITEUP
2code Wpqa Builder < 5.2 - XSS
The WPQA Builder Plugin WordPress plugin before 5.2, used as a companion plugin for the Discy and Himer , does not sanitise and escape the city, phone or profile credentials fields when outputting it in the profile page, allowing any authenticated user to perform Cross-Site Scripting attacks.
2 stars
CVSS 5.4
CVE-2021-24545 NOMISEC MEDIUM WORKING POC
WP Html Author Bio < 1.2.0 - XSS
The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s.
2 stars
CVSS 5.4
CVE-2022-1598 NOMISEC MEDIUM WRITEUP
2code Wpqa Builder < 5.4 - Missing Authentication
The WPQA Builder WordPress plugin before 5.5 which is a companion to the Discy and Himer , lacks authentication in a REST API endpoint, allowing unauthenticated users to discover private questions sent between users on the site.
1 stars
CVSS 5.3
CVE-2021-24563 NOMISEC MEDIUM WORKING POC
Frontend Uploader < 1.3.2 - XSS
The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly
1 stars
CVSS 6.1