Search criteria
2 vulnerabilities by visualportfolio
CVE-2022-2597 (GCVE-0-2022-2597)
Vulnerability from cvelistv5 – Published: 2022-09-05 12:35 – Updated: 2024-08-03 00:46
VLAI
Title
Visual Portfolio < 2.19.0 - Contributor+ CSS Injection
Summary
The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.19.0 does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts
Severity
No CVSS data available.
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/3ffcee7c-1e03-44… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Visual Portfolio, Photo Gallery & Post Grid |
Affected:
2.19.0 , < 2.19.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:46:03.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/3ffcee7c-1e03-448c-8006-a9405658cdb7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Portfolio, Photo Gallery \u0026 Post Grid",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.19.0",
"status": "affected",
"version": "2.19.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Portfolio, Photo Gallery \u0026 Post Grid WordPress plugin before 2.19.0 does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-05T12:35:21.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/3ffcee7c-1e03-448c-8006-a9405658cdb7"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Portfolio \u003c 2.19.0 - Contributor+ CSS Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2597",
"STATE": "PUBLIC",
"TITLE": "Visual Portfolio \u003c 2.19.0 - Contributor+ CSS Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Portfolio, Photo Gallery \u0026 Post Grid",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.19.0",
"version_value": "2.19.0"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Krzysztof Zaj\u0105c"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Portfolio, Photo Gallery \u0026 Post Grid WordPress plugin before 2.19.0 does not have proper authorisation checks in some of its REST endpoints, allowing users with a role as low as contributor to call them and inject arbitrary CSS in arbitrary saved layouts"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863 Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/3ffcee7c-1e03-448c-8006-a9405658cdb7",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/3ffcee7c-1e03-448c-8006-a9405658cdb7"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2597",
"datePublished": "2022-09-05T12:35:21.000Z",
"dateReserved": "2022-08-01T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:46:03.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2543 (GCVE-0-2022-2543)
Vulnerability from cvelistv5 – Published: 2022-09-05 12:35 – Updated: 2024-08-03 00:39
VLAI
Title
Visual Portfolio < 2.18.0 - Unauthenticated CSS Injection
Summary
The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.18.0 does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts
Severity
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/5dc8b671-f2fa-47… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Visual Portfolio, Photo Gallery & Post Grid |
Affected:
2.18.0 , < 2.18.0
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.976Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/5dc8b671-f2fa-47be-8664-9005c4fdbea8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Visual Portfolio, Photo Gallery \u0026 Post Grid",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.18.0",
"status": "affected",
"version": "2.18.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visual Portfolio, Photo Gallery \u0026 Post Grid WordPress plugin before 2.18.0 does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-05T12:35:20.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/5dc8b671-f2fa-47be-8664-9005c4fdbea8"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Visual Portfolio \u003c 2.18.0 - Unauthenticated CSS Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-2543",
"STATE": "PUBLIC",
"TITLE": "Visual Portfolio \u003c 2.18.0 - Unauthenticated CSS Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Visual Portfolio, Photo Gallery \u0026 Post Grid",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.18.0",
"version_value": "2.18.0"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Krzysztof Zaj\u0105c"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Visual Portfolio, Photo Gallery \u0026 Post Grid WordPress plugin before 2.18.0 does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-862 Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/5dc8b671-f2fa-47be-8664-9005c4fdbea8",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/5dc8b671-f2fa-47be-8664-9005c4fdbea8"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-2543",
"datePublished": "2022-09-05T12:35:20.000Z",
"dateReserved": "2022-07-26T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:39:07.976Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}