cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forjquery-collapse-o-matic jquery-collapse-o-matic

Direction: ascending
Jun 07, 2024

Collapse-O-Matic # CVE-2022-4475

CVE, Research URL

CVE-2022-4475

Home page URL

Security reports for Collapse-O-Matic

Application

Collapse-O-Matic

Date
Jan 23, 2023
Research Description
The Collapse-O-Matic WordPress plugin before 1.8.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin.
Affected versions
Min -, max -.
Status
vulnerable

Collapse-O-Matic # CVE-2023-40669

CVE, Research URL

CVE-2023-40669

Home page URL

Security reports for Collapse-O-Matic

Application

Collapse-O-Matic

Date
Sep 27, 2023
Research Description
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in twinpictures, baden03 Collapse-O-Matic plugin <= 1.8.5.5 versions.
Affected versions
Min -, max -.
Status
vulnerable

Collapse-O-Matic # CVE-2023-7030

CVE, Research URL

CVE-2023-7030

Home page URL

Security reports for Collapse-O-Matic

Application

Collapse-O-Matic

Date
May 02, 2024
Research Description
The Collapse-O-Matic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'expand' shortcode in all versions up to, and including, 1.8.5.5 due to insufficient input sanitization and output escaping on the 'tag' user supplied attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max -.
Status
vulnerable
Jun 17, 2024

Collapse-O-Matic # CVE-2024-4095

CVE, Research URL

CVE-2024-4095

Home page URL

Security reports for Collapse-O-Matic

Application

Collapse-O-Matic

Date
Jun 15, 2024
Research Description
The Collapse-O-Matic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'expand' and 'expandsub' shortcode in all versions up to, and including, 1.8.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max -.
Status
vulnerable