VYPR

Custom Content Shortcode

by WordPress

CVEs (5)

  • CVE-2023-0340HigMar 20, 2023
    risk 0.57cvss 8.8epss 0.01

    The Custom Content Shortcode WordPress plugin through 4.0.2 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and…

  • CVE-2023-0273MedMar 20, 2023
    risk 0.35cvss 5.4epss 0.00

    The Custom Content Shortcode WordPress plugin through 4.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored…

  • CVE-2021-24826MedMar 7, 2022
    risk 0.35cvss 5.4epss 0.01

    The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please…

  • CVE-2021-24825MedMar 7, 2022
    risk 0.28cvss 4.3epss 0.00

    The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to display arbitrary files from the filesystem (such as logs, .htaccess etc), as well as…

  • CVE-2021-24824MedMar 7, 2022
    risk 0.28cvss 4.3epss 0.01

    The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This could lead to sensitive data disclosure, for example when used in combination…