RSS   Vulnerabilities for 'Wp page builder'   RSS

2021-04-05
 
CVE-2021-24208

CWE-79
 

 
The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the �??Raw HTML�?� widget and the �??Custom HTML�?� widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the �??page_builder_data�?� parameter when performing the �??wppb_page_save�?� AJAX action. It is also possible to insert malicious JavaScript via the �??wppb_page_css�?� parameter (this can be done by closing out the style tag and opening a script tag) when performing the �??wppb_page_save�?� AJAX action.

 
 
CVE-2021-24207

CWE-863
 

 
By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages.

 

 >>> Vendor: Themeum 4 Products
Tutor lms
Wp page builder
Qubely
Wp crowdfunding


Copyright 2024, cxsecurity.com

 

Back to Top