Vulnerabilities > Dfactory
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-23 | CVE-2024-43924 | Missing Authorization vulnerability in Dfactory Responsive Lightbox Missing Authorization vulnerability in dFactory Responsive Lightbox allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Responsive Lightbox: from n/a through 2.4.7. | 9.8 |
| 2024-08-22 | CVE-2024-6870 | Cross-site Scripting vulnerability in Dfactory Responsive Lightbox The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping affecting the rl_upload_image AJAX endpoint. | 5.4 |
| 2023-12-15 | CVE-2023-49174 | Cross-site Scripting vulnerability in Dfactory Responsive Lightbox Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dFactory Responsive Lightbox & Gallery allows Stored XSS.This issue affects Responsive Lightbox & Gallery: from n/a through 2.4.5. | 5.4 |
| 2023-03-06 | CVE-2023-0076 | Unspecified vulnerability in Dfactory Download Attachments The Download Attachments WordPress plugin before 1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 5.4 |
| 2021-09-20 | CVE-2021-24613 | Cross-site Scripting vulnerability in Dfactory Post Views Counter The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed | 4.8 |
| 2017-07-07 | CVE-2017-2243 | Cross-site Scripting vulnerability in Dfactory Responsive Lightbox Cross-site scripting vulnerability in Responsive Lightbox prior to version 1.7.2 allows an attacker to inject arbitrary web script or HTML via unspecified vectors. | 6.1 |