MidnightBSD

Advisories for onedesigns

CVE-2011-3860 MEDIUM

Cross-site scripting (XSS) vulnerability in the Cover WP theme before 1.6.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
onedesigns cover_wp 1.5.2
onedesigns cover_wp 1.5.6
onedesigns cover_wp 1.6.3
onedesigns cover_wp 1.3
onedesigns cover_wp 1.5.5
onedesigns cover_wp 1.5.9
onedesigns cover_wp 1.5.1
onedesigns cover_wp 1.6
onedesigns cover_wp 1.5.8
onedesigns cover_wp 1.5.4
onedesigns cover_wp 1.5.7
onedesigns cover_wp 1.2
onedesigns cover_wp 1.1
onedesigns cover_wp 1.4
onedesigns cover_wp 1.4.1
onedesigns cover_wp 1.6.1
onedesigns cover_wp 1.6.2
onedesigns cover_wp 1.5.3
onedesigns cover_wp 1.5
onedesigns cover_wp 1.6.4
onedesigns cover_wp *
CVE-2021-24672 LOW

The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
onedesigns one_user_avatar *
CVE-2021-24675 MEDIUM

The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
onedesigns one_user_avatar *