H5P
Monthly
Reflected cross-site scripting in the H5P WordPress plugin (versions 1.17.6 and earlier) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link, per the CVSS PR:N/UI:R vector. Because the scope is changed (S:C), successful execution can reach beyond the vulnerable component into the authenticated WordPress session context, enabling session/cookie theft or admin-context actions. There is no public exploit identified and the issue is not listed in CISA KEV, so risk is moderate (CVSS 7.1) and contingent on social-engineering a logged-in user.
The Interactive Content WordPress plugin before 1.15.8 does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting issues. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Reflected cross-site scripting in the H5P WordPress plugin (versions 1.17.6 and earlier) lets an unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link, per the CVSS PR:N/UI:R vector. Because the scope is changed (S:C), successful execution can reach beyond the vulnerable component into the authenticated WordPress session context, enabling session/cookie theft or admin-context actions. There is no public exploit identified and the issue is not listed in CISA KEV, so risk is moderate (CVSS 7.1) and contingent on social-engineering a logged-in user.
The Interactive Content WordPress plugin before 1.15.8 does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting issues. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.