Vulnerabilites related to Unknown - KKProgressbar2 Free
cve-2024-4534
Vulnerability from cvelistv5
Published
2024-05-27 06:00
Modified
2024-08-09 18:59
Severity ?
EPSS score ?
Summary
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/7b0046d4-cf95-4307-95a5-9b823f2daaaa/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | KKProgressbar2 Free |
Version: 0 ≤ 1.1.4.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T20:40:47.496Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "exploit", "vdb-entry", "technical-description", "x_transferred", ], url: "https://wpscan.com/vulnerability/7b0046d4-cf95-4307-95a5-9b823f2daaaa/", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:krzysztof_furtak:kkprogressbar2_free:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "kkprogressbar2_free", vendor: "krzysztof_furtak", versions: [ { lessThanOrEqual: "1.1.4.2", status: "affected", version: "0", versionType: "semver", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2024-4534", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-09T18:38:10.669772Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-09T18:59:11.672Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "affected", product: "KKProgressbar2 Free ", vendor: "Unknown", versions: [ { lessThanOrEqual: "1.1.4.2", status: "affected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Bob Matyas", }, { lang: "en", type: "coordinator", value: "WPScan", }, ], descriptions: [ { lang: "en", value: "The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack", }, ], problemTypes: [ { descriptions: [ { description: "CWE-352 Cross-Site Request Forgery (CSRF)", lang: "en", type: "CWE", }, ], }, { descriptions: [ { description: "CWE-79 Cross-Site Scripting (XSS)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-27T06:00:02.758Z", orgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", shortName: "WPScan", }, references: [ { tags: [ "exploit", "vdb-entry", "technical-description", ], url: "https://wpscan.com/vulnerability/7b0046d4-cf95-4307-95a5-9b823f2daaaa/", }, ], source: { discovery: "EXTERNAL", }, title: "KKProgressbar2 Free <= 1.1.4.2 - Stored XSS via CSRF", x_generator: { engine: "WPScan CVE Generator", }, }, }, cveMetadata: { assignerOrgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", assignerShortName: "WPScan", cveId: "CVE-2024-4534", datePublished: "2024-05-27T06:00:02.758Z", dateReserved: "2024-05-05T23:28:59.278Z", dateUpdated: "2024-08-09T18:59:11.672Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-4533
Vulnerability from cvelistv5
Published
2024-05-27 06:00
Modified
2025-03-25 18:39
Severity ?
EPSS score ?
Summary
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/c3406236-aaee-480a-8931-79c867252f11/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | KKProgressbar2 Free |
Version: 0 ≤ 1.1.4.2 |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2024-4533", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-25T18:39:07.198337Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-25T18:39:38.191Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T20:40:47.525Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "exploit", "vdb-entry", "technical-description", "x_transferred", ], url: "https://wpscan.com/vulnerability/c3406236-aaee-480a-8931-79c867252f11/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "KKProgressbar2 Free ", vendor: "Unknown", versions: [ { lessThanOrEqual: "1.1.4.2", status: "affected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Bob Matyas", }, { lang: "en", type: "coordinator", value: "WPScan", }, ], descriptions: [ { lang: "en", value: "The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks", }, ], problemTypes: [ { descriptions: [ { description: "CWE-89 SQL Injection", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-27T06:00:02.573Z", orgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", shortName: "WPScan", }, references: [ { tags: [ "exploit", "vdb-entry", "technical-description", ], url: "https://wpscan.com/vulnerability/c3406236-aaee-480a-8931-79c867252f11/", }, ], source: { discovery: "EXTERNAL", }, title: "KKProgressbar2 Free <= 1.1.4.2 - Admin+ SQL Injection", x_generator: { engine: "WPScan CVE Generator", }, }, }, cveMetadata: { assignerOrgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", assignerShortName: "WPScan", cveId: "CVE-2024-4533", datePublished: "2024-05-27T06:00:02.573Z", dateReserved: "2024-05-05T23:27:01.800Z", dateUpdated: "2025-03-25T18:39:38.191Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-4535
Vulnerability from cvelistv5
Published
2024-05-27 06:00
Modified
2025-03-25 14:21
Severity ?
EPSS score ?
Summary
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/d4980886-da10-4bbc-a84a-fe071ab3b755/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | KKProgressbar2 Free |
Version: 0 ≤ 1.1.4.2 |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2024-4535", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-05-28T14:20:52.252927Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-25T14:21:30.651Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T20:40:47.529Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "exploit", "vdb-entry", "technical-description", "x_transferred", ], url: "https://wpscan.com/vulnerability/d4980886-da10-4bbc-a84a-fe071ab3b755/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "KKProgressbar2 Free ", vendor: "Unknown", versions: [ { lessThanOrEqual: "1.1.4.2", status: "affected", version: "0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Bob Matyas", }, { lang: "en", type: "coordinator", value: "WPScan", }, ], descriptions: [ { lang: "en", value: "The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks", }, ], problemTypes: [ { descriptions: [ { description: "CWE-352 Cross-Site Request Forgery (CSRF)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-27T06:00:02.939Z", orgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", shortName: "WPScan", }, references: [ { tags: [ "exploit", "vdb-entry", "technical-description", ], url: "https://wpscan.com/vulnerability/d4980886-da10-4bbc-a84a-fe071ab3b755/", }, ], source: { discovery: "EXTERNAL", }, title: "KKProgressbar2 Free <= 1.1.4.2 - Progress Bar Deletion via CSRF", x_generator: { engine: "WPScan CVE Generator", }, }, }, cveMetadata: { assignerOrgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", assignerShortName: "WPScan", cveId: "CVE-2024-4535", datePublished: "2024-05-27T06:00:02.939Z", dateReserved: "2024-05-05T23:31:24.589Z", dateUpdated: "2025-03-25T14:21:30.651Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }