Simple Urls
Monthly
Stored Cross-Site Scripting in the Simple URLs WordPress plugin (versions <= 151) allows authenticated author-level users to inject persistent malicious scripts into content rendered in the WordPress admin interface. The CVSS Scope:Changed metric indicates the injected payload executes in a security context beyond the attacker's own session - most likely the administrative dashboard viewed by higher-privileged users such as site administrators. No public exploit code or active exploitation confirmed at time of analysis, but the scope change introduces a realistic privilege escalation path from author to administrator via session hijacking.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lasso Simple URLs - Link Cloaking, Product Displays, and Affiliate Link Management allows Stored. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in Lasso Simple URLs plugin <= 120 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Simple URLs WordPress plugin before 115 does not sanitise and escape some parameters before outputting them back in some pages, leading to Reflected Cross-Site Scripting which could be used. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Simple URLs WordPress plugin before 115 does not escape some parameters before using them in various SQL statements used by AJAX actions available by any authenticated users, leading to a SQL. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Stored Cross-Site Scripting in the Simple URLs WordPress plugin (versions <= 151) allows authenticated author-level users to inject persistent malicious scripts into content rendered in the WordPress admin interface. The CVSS Scope:Changed metric indicates the injected payload executes in a security context beyond the attacker's own session - most likely the administrative dashboard viewed by higher-privileged users such as site administrators. No public exploit code or active exploitation confirmed at time of analysis, but the scope change introduces a realistic privilege escalation path from author to administrator via session hijacking.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lasso Simple URLs - Link Cloaking, Product Displays, and Affiliate Link Management allows Stored. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in Lasso Simple URLs plugin <= 120 versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Simple URLs WordPress plugin before 115 does not sanitise and escape some parameters before outputting them back in some pages, leading to Reflected Cross-Site Scripting which could be used. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Simple URLs WordPress plugin before 115 does not escape some parameters before using them in various SQL statements used by AJAX actions available by any authenticated users, leading to a SQL. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.