Refine your search
4 vulnerabilities found for CM Tooltip Glossary by creativemindssolutions
CVE-2024-11202 (GCVE-0-2024-11202)
Vulnerability from cvelistv5
Published
2024-11-26 07:31
Modified
2026-04-08 17:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| creativemindssolutions | CM Header and Footer – Add custom scripts and styles to your header and footer with ease |
Version: 0 ≤ 1.2.1 |
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T14:03:41.646023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T14:09:25.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CM Header and Footer \u2013 Add custom scripts and styles to your header and footer with ease",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CM Business Directory \u2013 Optimise and showcase local business",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CM Search And Replace \u2013 Optimize content edits with a powerful search and replace tool",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CM E-Mail Blacklist \u2013 Simple email filtering for safer registration",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.5.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CM Pop-Up \u2013 Create engaging popups to capture attention and boost interaction",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CM Video Lessons Manager \u2013 Simplify video lessons management for better education",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CM Tooltip Glossary",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "4.3.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:27:35.857Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-pop-up-banners/trunk/package/cminds-free.php#L1471"
},
{
"url": "https://wordpress.org/plugins/cm-pop-up-banners/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-header-footer-script-loader/trunk/package/cminds-free.php#L1465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/enhanced-tooltipglossary/trunk/package/cminds-free.php#L1465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-business-directory/trunk/package/cminds-free.php#L1465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-video-lesson-manager/trunk/package/cminds-free.php#L1465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-email-blacklist/trunk/package/cminds-free.php#L1465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-on-demand-search-and-replace/trunk/package/cminds-free.php#L1469"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3191536/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3192416/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3193808/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3192354/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3194393/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3192808/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3192381/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-25T19:30:14.000Z",
"value": "Disclosed"
}
],
"title": "Multiple Plugins \u003c= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11202",
"datePublished": "2024-11-26T07:31:31.790Z",
"dateReserved": "2024-11-14T00:00:21.262Z",
"dateUpdated": "2026-04-08T17:27:35.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-48041 (GCVE-0-2024-48041)
Vulnerability from cvelistv5
Published
2024-10-11 18:27
Modified
2026-04-28 16:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Tooltip Glossary enhanced-tooltipglossary allows Stored XSS.This issue affects CM Tooltip Glossary: from n/a through <= 4.3.9.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Tooltip Glossary |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48041",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T18:45:11.226268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T18:45:21.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "enhanced-tooltipglossary",
"product": "CM Tooltip Glossary",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "4.3.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.3.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert DeVore | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:28:10.429Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Tooltip Glossary enhanced-tooltipglossary allows Stored XSS.\u003cp\u003eThis issue affects CM Tooltip Glossary: from n/a through \u003c= 4.3.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Tooltip Glossary enhanced-tooltipglossary allows Stored XSS.This issue affects CM Tooltip Glossary: from n/a through \u003c= 4.3.9."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:22.358Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/enhanced-tooltipglossary/vulnerability/wordpress-cm-tooltip-glossary-plugin-4-3-9-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM Tooltip Glossary plugin \u003c= 4.3.9 - Stored Cross-Site Scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-48041",
"datePublished": "2024-10-11T18:27:15.935Z",
"dateReserved": "2024-10-08T13:14:57.116Z",
"dateUpdated": "2026-04-28T16:10:22.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43149 (GCVE-0-2024-43149)
Vulnerability from cvelistv5
Published
2024-08-12 22:13
Modified
2026-04-28 16:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Tooltip Glossary allows Stored XSS.This issue affects CM Tooltip Glossary: from n/a through 4.3.7.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Tooltip Glossary |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-13T13:50:58.967525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T14:05:24.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "enhanced-tooltipglossary",
"product": "CM Tooltip Glossary",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "4.3.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.3.7",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "LVT-tholv2k (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Tooltip Glossary allows Stored XSS.\u003cp\u003eThis issue affects CM Tooltip Glossary: from n/a through 4.3.7.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Tooltip Glossary allows Stored XSS.This issue affects CM Tooltip Glossary: from n/a through 4.3.7."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:09.203Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/enhanced-tooltipglossary/wordpress-cm-tooltip-glossary-plugin-4-3-7-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 4.3.9 or a higher version."
}
],
"value": "Update to 4.3.9 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress CM Tooltip Glossary Plugin \u003c= 4.3.7 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43149",
"datePublished": "2024-08-12T22:13:29.806Z",
"dateReserved": "2024-08-07T09:19:26.673Z",
"dateUpdated": "2026-04-28T16:10:09.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4086 (GCVE-0-2024-4086)
Vulnerability from cvelistv5
Published
2024-05-02 16:52
Modified
2026-04-08 17:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The CM Tooltip Glossary – Powerful Glossary Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.11. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to change the plugin's settings or reset them via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| creativemindssolutions | CM Tooltip Glossary |
Version: 0 ≤ 4.2.11 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4086",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T19:14:05.978645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:54:09.504Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:51.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3e2ddde-1421-4352-b93a-1492574f624e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3076616/enhanced-tooltipglossary/trunk/settings/CMTT_Settings.php?contextall=1\u0026old=3029791\u0026old_path=%2Fenhanced-tooltipglossary%2Ftrunk%2Fsettings%2FCMTT_Settings.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CM Tooltip Glossary",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "4.2.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Benedictus Jovan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CM Tooltip Glossary \u2013 Powerful Glossary Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.11. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to change the plugin\u0027s settings or reset them via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:32:59.143Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3e2ddde-1421-4352-b93a-1492574f624e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3076616/enhanced-tooltipglossary/trunk/settings/CMTT_Settings.php?contextall=1\u0026old=3029791\u0026old_path=%2Fenhanced-tooltipglossary%2Ftrunk%2Fsettings%2FCMTT_Settings.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-24T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "CM Tooltip Glossary \u2013 Powerful Glossary Plugin \u003c= 4.2.11 - Cross-Site Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4086",
"datePublished": "2024-05-02T16:52:51.436Z",
"dateReserved": "2024-04-23T16:24:44.990Z",
"dateUpdated": "2026-04-08T17:32:59.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}