Vulnerabilites related to Unknown - Giveaways and Contests by RafflePress
cve-2024-6887
Vulnerability from cvelistv5
Published
2024-09-12 06:00
Modified
2024-09-12 18:30
Severity ?
EPSS score ?
Summary
The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/553806f4-da20-433c-8c19-35e6c87ccade/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Giveaways and Contests by RafflePress |
Version: 0 ≤ |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:rafflepress:giveaways_and_contests_by_rafflepress:*:*:*:*:*:wordpress:*:*", ], defaultStatus: "unknown", product: "giveaways_and_contests_by_rafflepress", vendor: "rafflepress", versions: [ { lessThan: "1.12.16", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2024-6887", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-12T18:28:24.462891Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T18:30:05.435Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Giveaways and Contests by RafflePress", vendor: "Unknown", versions: [ { lessThan: "1.12.16", status: "affected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Dmitrii Ignatyev", }, { lang: "en", type: "coordinator", value: "WPScan", }, ], descriptions: [ { lang: "en", value: "The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)", }, ], problemTypes: [ { descriptions: [ { description: "CWE-79 Cross-Site Scripting (XSS)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-12T06:00:04.189Z", orgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", shortName: "WPScan", }, references: [ { tags: [ "exploit", "vdb-entry", "technical-description", ], url: "https://wpscan.com/vulnerability/553806f4-da20-433c-8c19-35e6c87ccade/", }, ], source: { discovery: "EXTERNAL", }, title: "Giveaways and Contests by RafflePress < 1.12.16 - Editor+ Stored XSS", x_generator: { engine: "WPScan CVE Generator", }, }, }, cveMetadata: { assignerOrgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", assignerShortName: "WPScan", cveId: "CVE-2024-6887", datePublished: "2024-09-12T06:00:04.189Z", dateReserved: "2024-07-18T19:01:31.012Z", dateUpdated: "2024-09-12T18:30:05.435Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-3963
Vulnerability from cvelistv5
Published
2024-07-13 06:00
Modified
2024-08-01 20:26
Severity ?
EPSS score ?
Summary
The Giveaways and Contests by RafflePress WordPress plugin before 1.12.14 does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting attacks
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/827d738e-5369-431e-8438-b5c4d8c1f8f1/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Giveaways and Contests by RafflePress |
Version: 0 ≤ |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:rafflepress:giveaways_and_contests_by_rafflepress:*:*:*:*:*:wordpress:*:*", ], defaultStatus: "unaffected", product: "giveaways_and_contests_by_rafflepress", vendor: "rafflepress", versions: [ { lessThan: "1.12.14", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", version: "3.1", }, }, { other: { content: { id: "CVE-2024-3963", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-15T14:16:22.431525Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-15T14:57:22.231Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T20:26:57.225Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "exploit", "vdb-entry", "technical-description", "x_transferred", ], url: "https://wpscan.com/vulnerability/827d738e-5369-431e-8438-b5c4d8c1f8f1/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Giveaways and Contests by RafflePress ", vendor: "Unknown", versions: [ { lessThan: "1.12.14", status: "affected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Krugov Aryom", }, { lang: "en", type: "coordinator", value: "WPScan", }, ], descriptions: [ { lang: "en", value: "The Giveaways and Contests by RafflePress WordPress plugin before 1.12.14 does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting attacks", }, ], problemTypes: [ { descriptions: [ { description: "CWE-79 Cross-Site Scripting (XSS)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-13T06:00:05.270Z", orgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", shortName: "WPScan", }, references: [ { tags: [ "exploit", "vdb-entry", "technical-description", ], url: "https://wpscan.com/vulnerability/827d738e-5369-431e-8438-b5c4d8c1f8f1/", }, ], source: { discovery: "EXTERNAL", }, title: "RafflePress Lite < 1.12.14 - Editor+ Stored XSS", x_generator: { engine: "WPScan CVE Generator", }, }, }, cveMetadata: { assignerOrgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", assignerShortName: "WPScan", cveId: "CVE-2024-3963", datePublished: "2024-07-13T06:00:05.270Z", dateReserved: "2024-04-18T19:08:32.226Z", dateUpdated: "2024-08-01T20:26:57.225Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-0176
Vulnerability from cvelistv5
Published
2023-02-06 19:59
Modified
2025-03-25 18:04
Severity ?
EPSS score ?
Summary
The Giveaways and Contests by RafflePress WordPress plugin before 1.11.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/a762c25b-5c47-400e-8964-407cf4c94e9f | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Giveaways and Contests by RafflePress |
Version: 0 < 1.11.3 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:02:44.012Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "exploit", "vdb-entry", "technical-description", "x_transferred", ], url: "https://wpscan.com/vulnerability/a762c25b-5c47-400e-8964-407cf4c94e9f", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2023-0176", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-25T18:03:22.845477Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-25T18:04:00.655Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://wordpress.org/plugins", defaultStatus: "unaffected", product: "Giveaways and Contests by RafflePress", vendor: "Unknown", versions: [ { lessThan: "1.11.3", status: "affected", version: "0", versionType: "custom", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Lana Codes", }, { lang: "en", type: "coordinator", value: "WPScan", }, ], descriptions: [ { lang: "en", value: "The Giveaways and Contests by RafflePress WordPress plugin before 1.11.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.", }, ], problemTypes: [ { descriptions: [ { description: "CWE-79 Cross-Site Scripting (XSS)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-02-06T19:59:46.410Z", orgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", shortName: "WPScan", }, references: [ { tags: [ "exploit", "vdb-entry", "technical-description", ], url: "https://wpscan.com/vulnerability/a762c25b-5c47-400e-8964-407cf4c94e9f", }, ], source: { discovery: "EXTERNAL", }, title: "Giveaways and Contests by RafflePress < 1.11.3 - Contributor+ Stored XSS", x_generator: { engine: "WPScan CVE Generator", }, }, }, cveMetadata: { assignerOrgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", assignerShortName: "WPScan", cveId: "CVE-2023-0176", datePublished: "2023-02-06T19:59:46.410Z", dateReserved: "2023-01-11T03:10:16.372Z", dateUpdated: "2025-03-25T18:04:00.655Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }