Word Balloon

word_balloon

Vendor: Back2nature • 3 CVEs

CVEs (3)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-35781 1Back2nature 1Word Balloon Jun 17, 2026 Jun 21, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in YAHMAN Word Balloon allows PHP Local File Inclusion.This issue affects Word Balloon: from n/a through 4.21.1.
CVE-2023-5884 1Back2nature 1Word Balloon Jun 17, 2026 Dec 4, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Word Balloon WordPress plugin before 4.20.3 does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to trick a logged in user to delete arbitrary avatars by clicking a link.
CVE-2022-4751 1Back2nature 1Word Balloon Jun 17, 2026 Jan 23, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Word Balloon WordPress plugin before 4.19.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform...Show more The Word Balloon WordPress plugin before 4.19.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.Show less