Welaunch

welaunch

5 CVEs • 3 products

Products (3)

Click to collapse

Toggle

Wordpress Gdpr&ccpa

wordpress_gdpr&ccpa

Wordpress Country Selector

wordpress_country_selector

CVEs (5)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-11069 1Welaunch 1Wordpress Gdpr Jan 23, 2025 Nov 19, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 The WordPress GDPR plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'WordPress_GDPR_Data_Delete::check_action' function in all versions up to, and including, 2.0.2....Show more The WordPress GDPR plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'WordPress_GDPR_Data_Delete::check_action' function in all versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to delete arbitrary users.Show less
CVE-2024-10388 1Welaunch 1Wordpress Gdpr Jan 23, 2025 Nov 19, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The WordPress GDPR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gdpr_firstname' and 'gdpr_lastname' parameters in all versions up to, and including, 2.0.2 due to insufficient input sanitizat...Show more The WordPress GDPR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gdpr_firstname' and 'gdpr_lastname' parameters in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Show less
CVE-2022-28290 1Welaunch 1Wordpress Country Selector Nov 21, 2024 Apr 25, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Reflective Cross-Site Scripting vulnerability in WordPress Country Selector Plugin Version 1.6.5. The XSS payload executes whenever the user tries to access the country selector page with the specified payload as a part...Show more Reflective Cross-Site Scripting vulnerability in WordPress Country Selector Plugin Version 1.6.5. The XSS payload executes whenever the user tries to access the country selector page with the specified payload as a part of the HTTP requestShow less
CVE-2022-0220 1Welaunch 1Wordpress Gdpr&ccpa Nov 21, 2024 Feb 1, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type....Show more The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. Due to v1.9.26 adding a CSRF check, the XSS is only exploitable against unauthenticated users (as they all share the same nonce)Show less
CVE-2021-24814 1Welaunch 1Wordpress Gdpr&ccpa Nov 21, 2024 Feb 1, 2022 N/A· v4 9.6 CRITICAL· v3 6.8 MEDIUM· v2 The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type....Show more The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJAX calls and iframe manipulation are possible because the vulnerable endpoint is on the same domain as the admin panel - there is no same-origin restriction).Show less