Vulnerabilities and security researches forpoint-maker point-maker

Oct 19, 2024

CVE, Research URL: CVE-2024-49317
Home page URL: Security reports for Point Maker
Application: Point Maker
Date: Oct 17, 2024
Research Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ZIPANG Point Maker allows PHP Local File Inclusion.This issue affects Point Maker: from n/a through 0.1.4.
Affected versions: max 0.1.5.
Status: vulnerable

Mar 06, 2025

CVE, Research URL: CVE-2024-12815
Home page URL: Security reports for Point Maker
Application: Point Maker
Date: Mar 05, 2025
Research Description: The Point Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'point_maker' shortcode in all versions up to, and including, 0.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 0.1.6.
Status: vulnerable