Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities by videousermanuals
CVE-2026-11898 (GCVE-0-2026-11898)
Vulnerability from nvd – Published: 2026-07-11 05:35 – Updated: 2026-07-15 13:36
VLAI
EPSS
VEX
Title
White Label CMS <= 2.7.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import Settings
Summary
The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| videousermanuals | White Label CMS |
Affected:
0 , ≤ 2.7.12
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11898",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:35:57.944931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T13:36:07.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "White Label CMS",
"vendor": "videousermanuals",
"versions": [
{
"lessThanOrEqual": "2.7.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tal Kantor"
}
],
"descriptions": [
{
"lang": "en",
"value": "The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-11T05:35:45.854Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f12cdb6-df2d-419d-a29c-1ff7f9d098f4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.12/includes/classes/Admin_Dashboard.php#L430"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.12/includes/classes/Admin_Dashboard.php#L465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.12/includes/classes/Settings.php#L228"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.12/includes/classes/Settings.php#L124"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.9/includes/classes/Admin_Dashboard.php#L430"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.9/includes/classes/Admin_Dashboard.php#L465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.9/includes/classes/Settings.php#L228"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.9/includes/classes/Settings.php#L124"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3600959%40white-label-cms\u0026new=3600959%40white-label-cms"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-22T01:13:46.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-10T16:44:07.000Z",
"value": "Disclosed"
}
],
"title": "White Label CMS \u003c= 2.7.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import Settings"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11898",
"datePublished": "2026-07-11T05:35:45.854Z",
"dateReserved": "2026-06-10T15:40:44.494Z",
"dateUpdated": "2026-07-15T13:36:07.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4280 (GCVE-0-2024-4280)
Vulnerability from nvd – Published: 2024-05-10 05:34 – Updated: 2026-04-08 16:36
VLAI
EPSS
VEX
Title
White Label CMS <= 2.7.3 - Missing Authorization to Plugin Settings Reset
Summary
The White Label CMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_plugin function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to reset plugin settings.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| videousermanuals | White Label CMS |
Affected:
0 , ≤ 2.7.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-10T13:43:17.077242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:53:43.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:53.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13a206ea-0890-4535-9da7-54a7a45f0452?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3082887/white-label-cms"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "White Label CMS",
"vendor": "videousermanuals",
"versions": [
{
"lessThanOrEqual": "2.7.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The White Label CMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_plugin function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to reset plugin settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:36:40.605Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13a206ea-0890-4535-9da7-54a7a45f0452?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3082887/white-label-cms"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-01T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-05-09T16:34:33.000Z",
"value": "Disclosed"
}
],
"title": "White Label CMS \u003c= 2.7.3 - Missing Authorization to Plugin Settings Reset"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4280",
"datePublished": "2024-05-10T05:34:53.844Z",
"dateReserved": "2024-04-26T22:11:03.486Z",
"dateUpdated": "2026-04-08T16:36:40.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-4302 (GCVE-0-2022-4302)
Vulnerability from nvd – Published: 2023-01-02 21:49 – Updated: 2025-04-10 18:59
VLAI
EPSS
VEX
Title
White Label CMS < 2.5 - Admin+ PHP Object Injection
Summary
The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
Severity
7.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/b7707a15-0987-40… | exploitvdb-entrytechnical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | White Label CMS |
Affected:
0 , < 2.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:34:50.153Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/b7707a15-0987-4051-a8ac-7be2424bcb01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4302",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T18:57:04.212219Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:59:42.356Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "White Label CMS",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "thinhnguyen1337"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-10T09:08:32.058Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/b7707a15-0987-4051-a8ac-7be2424bcb01"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "White Label CMS \u003c 2.5 - Admin+ PHP Object Injection",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-4302",
"datePublished": "2023-01-02T21:49:18.707Z",
"dateReserved": "2022-12-06T10:25:02.996Z",
"dateUpdated": "2025-04-10T18:59:42.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0422 (GCVE-0-2022-0422)
Vulnerability from nvd – Published: 2022-03-07 08:16 – Updated: 2024-08-02 23:25
VLAI
EPSS
VEX
Title
White Label MS < 2.2.9 - Reflected Cross-Site Scripting
Summary
The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/429be4eb-8a6b-45… | x_refsource_MISC |
| https://plugins.trac.wordpress.org/changeset/2672615 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | White Label CMS |
Affected:
2.2.9 , < 2.2.9
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/429be4eb-8a6b-4531-9465-9ef0d35c12cc"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2672615"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "White Label CMS",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.2.9",
"status": "affected",
"version": "2.2.9",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-07T08:16:34.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/429be4eb-8a6b-4531-9465-9ef0d35c12cc"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2672615"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "White Label MS \u003c 2.2.9 - Reflected Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0422",
"STATE": "PUBLIC",
"TITLE": "White Label MS \u003c 2.2.9 - Reflected Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "White Label CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.2.9",
"version_value": "2.2.9"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Krzysztof Zaj\u0105c"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/429be4eb-8a6b-4531-9465-9ef0d35c12cc",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/429be4eb-8a6b-4531-9465-9ef0d35c12cc"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2672615",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2672615"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0422",
"datePublished": "2022-03-07T08:16:34.000Z",
"dateReserved": "2022-01-31T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:25:40.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5388 (GCVE-0-2012-5388)
Vulnerability from nvd – Published: 2012-10-24 10:00 – Updated: 2024-08-06 21:05
VLAI
EPSS
VEX
Summary
Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, a related issue to CVE-2012-5387.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://www.exploit-db.com/exploits/22156/ | exploitx_refsource_EXPLOIT-DB |
| http://wordpress.org/extend/plugins/white-label-c… | x_refsource_MISC |
| http://www.securityfocus.com/bid/56166 | vdb-entryx_refsource_BID |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
| http://packetstormsecurity.org/files/117590/White… | x_refsource_MISC |
Date Public
2012-10-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:05:47.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "22156",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/22156/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://wordpress.org/extend/plugins/white-label-cms/changelog/"
},
{
"name": "56166",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/56166"
},
{
"name": "wp-whitelabelcms-admin-xss(79522)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79522"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-10-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, a related issue to CVE-2012-5387."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "22156",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/22156/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://wordpress.org/extend/plugins/white-label-cms/changelog/"
},
{
"name": "56166",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/56166"
},
{
"name": "wp-whitelabelcms-admin-xss(79522)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79522"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-5388",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, a related issue to CVE-2012-5387."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "22156",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/22156/"
},
{
"name": "http://wordpress.org/extend/plugins/white-label-cms/changelog/",
"refsource": "MISC",
"url": "http://wordpress.org/extend/plugins/white-label-cms/changelog/"
},
{
"name": "56166",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/56166"
},
{
"name": "wp-whitelabelcms-admin-xss(79522)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79522"
},
{
"name": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-5388",
"datePublished": "2012-10-24T10:00:00.000Z",
"dateReserved": "2012-10-15T00:00:00.000Z",
"dateUpdated": "2024-08-06T21:05:47.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5387 (GCVE-0-2012-5387)
Vulnerability from nvd – Published: 2012-10-24 10:00 – Updated: 2024-08-06 21:05
VLAI
EPSS
VEX
Summary
Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, as demonstrated by a developer name containing XSS sequences.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
| http://www.exploit-db.com/exploits/22156/ | exploitx_refsource_EXPLOIT-DB |
| http://www.securityfocus.com/bid/56166 | vdb-entryx_refsource_BID |
| http://packetstormsecurity.org/files/117590/White… | x_refsource_MISC |
| http://wordpress.org/extend/plugins/white-label-c… | x_refsource_CONFIRM |
| http://osvdb.org/86568 | vdb-entryx_refsource_OSVDB |
Date Public
2012-10-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:05:47.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "wp-whitelabelcms-admin-csrf(79520)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79520"
},
{
"name": "22156",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/22156/"
},
{
"name": "56166",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/56166"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wordpress.org/extend/plugins/white-label-cms/changelog/"
},
{
"name": "86568",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/86568"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-10-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, as demonstrated by a developer name containing XSS sequences."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "wp-whitelabelcms-admin-csrf(79520)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79520"
},
{
"name": "22156",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/22156/"
},
{
"name": "56166",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/56166"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wordpress.org/extend/plugins/white-label-cms/changelog/"
},
{
"name": "86568",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/86568"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-5387",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, as demonstrated by a developer name containing XSS sequences."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "wp-whitelabelcms-admin-csrf(79520)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79520"
},
{
"name": "22156",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/22156/"
},
{
"name": "56166",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/56166"
},
{
"name": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"name": "http://wordpress.org/extend/plugins/white-label-cms/changelog/",
"refsource": "CONFIRM",
"url": "http://wordpress.org/extend/plugins/white-label-cms/changelog/"
},
{
"name": "86568",
"refsource": "OSVDB",
"url": "http://osvdb.org/86568"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-5387",
"datePublished": "2012-10-24T10:00:00.000Z",
"dateReserved": "2012-10-15T00:00:00.000Z",
"dateUpdated": "2024-08-06T21:05:47.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-11898 (GCVE-0-2026-11898)
Vulnerability from cvelistv5 – Published: 2026-07-11 05:35 – Updated: 2026-07-15 13:36
VLAI
EPSS
VEX
Title
White Label CMS <= 2.7.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import Settings
Summary
The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| videousermanuals | White Label CMS |
Affected:
0 , ≤ 2.7.12
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11898",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-15T13:35:57.944931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-15T13:36:07.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "White Label CMS",
"vendor": "videousermanuals",
"versions": [
{
"lessThanOrEqual": "2.7.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tal Kantor"
}
],
"descriptions": [
{
"lang": "en",
"value": "The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-11T05:35:45.854Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1f12cdb6-df2d-419d-a29c-1ff7f9d098f4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.12/includes/classes/Admin_Dashboard.php#L430"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.12/includes/classes/Admin_Dashboard.php#L465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.12/includes/classes/Settings.php#L228"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.12/includes/classes/Settings.php#L124"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.9/includes/classes/Admin_Dashboard.php#L430"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.9/includes/classes/Admin_Dashboard.php#L465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.9/includes/classes/Settings.php#L228"
},
{
"url": "https://plugins.trac.wordpress.org/browser/white-label-cms/tags/2.7.9/includes/classes/Settings.php#L124"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3600959%40white-label-cms\u0026new=3600959%40white-label-cms"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-22T01:13:46.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-10T16:44:07.000Z",
"value": "Disclosed"
}
],
"title": "White Label CMS \u003c= 2.7.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import Settings"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11898",
"datePublished": "2026-07-11T05:35:45.854Z",
"dateReserved": "2026-06-10T15:40:44.494Z",
"dateUpdated": "2026-07-15T13:36:07.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4280 (GCVE-0-2024-4280)
Vulnerability from cvelistv5 – Published: 2024-05-10 05:34 – Updated: 2026-04-08 16:36
VLAI
EPSS
VEX
Title
White Label CMS <= 2.7.3 - Missing Authorization to Plugin Settings Reset
Summary
The White Label CMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_plugin function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to reset plugin settings.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| videousermanuals | White Label CMS |
Affected:
0 , ≤ 2.7.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-10T13:43:17.077242Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:53:43.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:53.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13a206ea-0890-4535-9da7-54a7a45f0452?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3082887/white-label-cms"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "White Label CMS",
"vendor": "videousermanuals",
"versions": [
{
"lessThanOrEqual": "2.7.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The White Label CMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_plugin function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to reset plugin settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:36:40.605Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13a206ea-0890-4535-9da7-54a7a45f0452?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3082887/white-label-cms"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-01T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-05-09T16:34:33.000Z",
"value": "Disclosed"
}
],
"title": "White Label CMS \u003c= 2.7.3 - Missing Authorization to Plugin Settings Reset"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4280",
"datePublished": "2024-05-10T05:34:53.844Z",
"dateReserved": "2024-04-26T22:11:03.486Z",
"dateUpdated": "2026-04-08T16:36:40.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-4302 (GCVE-0-2022-4302)
Vulnerability from cvelistv5 – Published: 2023-01-02 21:49 – Updated: 2025-04-10 18:59
VLAI
EPSS
VEX
Title
White Label CMS < 2.5 - Admin+ PHP Object Injection
Summary
The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
Severity
7.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/b7707a15-0987-40… | exploitvdb-entrytechnical-description |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | White Label CMS |
Affected:
0 , < 2.5
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:34:50.153Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/b7707a15-0987-4051-a8ac-7be2424bcb01"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4302",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T18:57:04.212219Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T18:59:42.356Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "White Label CMS",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "thinhnguyen1337"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-10T09:08:32.058Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/b7707a15-0987-4051-a8ac-7be2424bcb01"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "White Label CMS \u003c 2.5 - Admin+ PHP Object Injection",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-4302",
"datePublished": "2023-01-02T21:49:18.707Z",
"dateReserved": "2022-12-06T10:25:02.996Z",
"dateUpdated": "2025-04-10T18:59:42.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0422 (GCVE-0-2022-0422)
Vulnerability from cvelistv5 – Published: 2022-03-07 08:16 – Updated: 2024-08-02 23:25
VLAI
EPSS
VEX
Title
White Label MS < 2.2.9 - Reflected Cross-Site Scripting
Summary
The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/429be4eb-8a6b-45… | x_refsource_MISC |
| https://plugins.trac.wordpress.org/changeset/2672615 | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | White Label CMS |
Affected:
2.2.9 , < 2.2.9
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:25:40.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/429be4eb-8a6b-4531-9465-9ef0d35c12cc"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2672615"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "White Label CMS",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.2.9",
"status": "affected",
"version": "2.2.9",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-07T08:16:34.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/429be4eb-8a6b-4531-9465-9ef0d35c12cc"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plugins.trac.wordpress.org/changeset/2672615"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "White Label MS \u003c 2.2.9 - Reflected Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2022-0422",
"STATE": "PUBLIC",
"TITLE": "White Label MS \u003c 2.2.9 - Reflected Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "White Label CMS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.2.9",
"version_value": "2.2.9"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Krzysztof Zaj\u0105c"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/429be4eb-8a6b-4531-9465-9ef0d35c12cc",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/429be4eb-8a6b-4531-9465-9ef0d35c12cc"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2672615",
"refsource": "CONFIRM",
"url": "https://plugins.trac.wordpress.org/changeset/2672615"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-0422",
"datePublished": "2022-03-07T08:16:34.000Z",
"dateReserved": "2022-01-31T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:25:40.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5388 (GCVE-0-2012-5388)
Vulnerability from cvelistv5 – Published: 2012-10-24 10:00 – Updated: 2024-08-06 21:05
VLAI
EPSS
VEX
Summary
Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, a related issue to CVE-2012-5387.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://www.exploit-db.com/exploits/22156/ | exploitx_refsource_EXPLOIT-DB |
| http://wordpress.org/extend/plugins/white-label-c… | x_refsource_MISC |
| http://www.securityfocus.com/bid/56166 | vdb-entryx_refsource_BID |
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
| http://packetstormsecurity.org/files/117590/White… | x_refsource_MISC |
Date Public
2012-10-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:05:47.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "22156",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/22156/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://wordpress.org/extend/plugins/white-label-cms/changelog/"
},
{
"name": "56166",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/56166"
},
{
"name": "wp-whitelabelcms-admin-xss(79522)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79522"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-10-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, a related issue to CVE-2012-5387."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "22156",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/22156/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://wordpress.org/extend/plugins/white-label-cms/changelog/"
},
{
"name": "56166",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/56166"
},
{
"name": "wp-whitelabelcms-admin-xss(79522)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79522"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-5388",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, a related issue to CVE-2012-5387."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "22156",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/22156/"
},
{
"name": "http://wordpress.org/extend/plugins/white-label-cms/changelog/",
"refsource": "MISC",
"url": "http://wordpress.org/extend/plugins/white-label-cms/changelog/"
},
{
"name": "56166",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/56166"
},
{
"name": "wp-whitelabelcms-admin-xss(79522)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79522"
},
{
"name": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-5388",
"datePublished": "2012-10-24T10:00:00.000Z",
"dateReserved": "2012-10-15T00:00:00.000Z",
"dateUpdated": "2024-08-06T21:05:47.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5387 (GCVE-0-2012-5387)
Vulnerability from cvelistv5 – Published: 2012-10-24 10:00 – Updated: 2024-08-06 21:05
VLAI
EPSS
VEX
Summary
Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, as demonstrated by a developer name containing XSS sequences.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://exchange.xforce.ibmcloud.com/vulnerabilit… | vdb-entryx_refsource_XF |
| http://www.exploit-db.com/exploits/22156/ | exploitx_refsource_EXPLOIT-DB |
| http://www.securityfocus.com/bid/56166 | vdb-entryx_refsource_BID |
| http://packetstormsecurity.org/files/117590/White… | x_refsource_MISC |
| http://wordpress.org/extend/plugins/white-label-c… | x_refsource_CONFIRM |
| http://osvdb.org/86568 | vdb-entryx_refsource_OSVDB |
Date Public
2012-10-22 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:05:47.216Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "wp-whitelabelcms-admin-csrf(79520)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79520"
},
{
"name": "22156",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/22156/"
},
{
"name": "56166",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/56166"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://wordpress.org/extend/plugins/white-label-cms/changelog/"
},
{
"name": "86568",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/86568"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-10-22T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, as demonstrated by a developer name containing XSS sequences."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "wp-whitelabelcms-admin-csrf(79520)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79520"
},
{
"name": "22156",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/22156/"
},
{
"name": "56166",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/56166"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://wordpress.org/extend/plugins/white-label-cms/changelog/"
},
{
"name": "86568",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/86568"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-5387",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, as demonstrated by a developer name containing XSS sequences."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "wp-whitelabelcms-admin-csrf(79520)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79520"
},
{
"name": "22156",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/22156/"
},
{
"name": "56166",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/56166"
},
{
"name": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html"
},
{
"name": "http://wordpress.org/extend/plugins/white-label-cms/changelog/",
"refsource": "CONFIRM",
"url": "http://wordpress.org/extend/plugins/white-label-cms/changelog/"
},
{
"name": "86568",
"refsource": "OSVDB",
"url": "http://osvdb.org/86568"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-5387",
"datePublished": "2012-10-24T10:00:00.000Z",
"dateReserved": "2012-10-15T00:00:00.000Z",
"dateUpdated": "2024-08-06T21:05:47.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}