cleantalk
Vulnerabilities and Security Researches

FULL – Cliente, CVE-2024-6447

CVE, Research URL

CVE-2024-6447

Home page URL

Security reports for FULL – Cliente

Application

FULL – Cliente

Published on
Jul 11, 2024
Research Description
The FULL – Cliente plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the license plan parameter in all versions up to, and including, 3.1.12 due to insufficient input sanitization and output escaping as well as missing authorization and capability checks on the related functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever an administrative user accesses wp-admin dashboard
Affected versions
Min -, max 3.1.13.
Status
vulnerable
Previous vulnerability researches
FULL – Cliente (CVE-2024-9211) , Oct 12, 2024
FULL – Cliente (CVE-2023-4242) , Jun 07, 2024
FULL – Cliente (CVE-2023-4243) , Jun 07, 2024
FULL – Cliente (CVE-2024-54313) , Dec 15, 2024
FULL – Cliente (CVE-2025-26757) , Feb 24, 2025
New vulnerability
VerticalResponse Newsletter Widget (CVE-2025-4172) , May 04, 2025
Subpage List (CVE-2025-4168) , May 04, 2025
OTP-less one tap Sign in (CVE-2025-3746) , May 04, 2025
Advanced Reorder Image Text Slider (CVE-2025-4188) , May 04, 2025
MStore API (CVE-2025-3438) , May 04, 2025