汇总 premio 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
已披露问题常与 跨站脚本、SQL 注入与CSRF 相关,可能在 生产负载与软件部署 场景中带来 会话劫持与数据泄露 等暴露风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2024-2643 | The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.6.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | [email protected] | 4.8 | 0.25% | 2025-05-15 | 2025-06-11 |
| CVE-2025-1450 | The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-hover’ parameter in all versions up to, and including, 3.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user acce | [email protected] | 6.4 | 0.27% | 2025-02-27 | 2025-03-11 |
| CVE-2024-7133 | The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.3 does not validate and escape some of its settings before outputting them back in the page, which could allow users with a high role to perform Stored Cross-Site Scripting attacks. | [email protected] | 4.8 | 0.35% | 2024-09-13 | 2024-09-27 |
| CVE-2024-7317 | The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | [email protected] | 6.4 | 0.27% | 2024-08-06 | 2024-11-22 |
| CVE-2024-4090 | The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | [email protected] | 4.8 | 0.28% | 2024-08-01 | 2025-06-10 |
| CVE-2024-4149 | The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | [email protected] | 4.8 | 0.19% | 2024-06-13 | 2025-03-26 |
| CVE-2024-2972 | The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | [email protected] | 3.8 | 0.09% | 2024-04-24 | 2025-05-08 |
| CVE-2023-7048 | The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger the export of a CSV file containing contact leads via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Because the CSV file is exported to a public locati | [email protected] | 3.1 | 0.16% | 2024-01-11 | 2026-04-08 |
| CVE-2023-40204 | Unrestricted Upload of File with Dangerous Type vulnerability in Premio Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager.This issue affects Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager: from n/a through 2.9.2. | [email protected] | 9.1 | 0.22% | 2023-12-20 | 2026-04-28 |
| CVE-2023-47759 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premio Chaty chaty allows DOM-Based XSS.This issue affects Chaty: from n/a through <= 3.1.2. | [email protected] | 5.9 | 0.07% | 2023-11-22 | 2026-04-29 |
| CVE-2023-5509 | The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions. | [email protected] | 5.4 | 0.05% | 2023-11-20 | 2024-11-21 |
| CVE-2023-25019 | Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Premio Chaty plugin <= 3.0.9 versions | [email protected] | 7.1 | 0.07% | 2023-08-30 | 2024-11-21 |
| CVE-2023-3248 | The All-in-one Floating Contact Form WordPress plugin before 2.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | [email protected] | 4.8 | 0.08% | 2023-07-24 | 2025-04-23 |
| CVE-2023-3245 | The Floating Chat Widget WordPress plugin before 3.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | [email protected] | 4.8 | 0.08% | 2023-07-17 | 2025-04-23 |
| CVE-2023-0487 | The My Sticky Elements WordPress plugin before 2.0.9 does not properly sanitise and escape a parameter before using it in a SQL statement when deleting messages, leading to a SQL injection exploitable by high privilege users such as admin | [email protected] | 7.2 | 0.54% | 2023-02-27 | 2025-03-10 |
| CVE-2022-3858 | The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button WordPress plugin before 3.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as admin. | [email protected] | 7.2 | 0.79% | 2022-12-05 | 2025-04-23 |
| CVE-2021-36846 | Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Premio Chaty (WordPress plugin) <= 2.8.3 | [email protected] | 4.8 | 0.22% | 2022-04-11 | 2024-11-21 |
| CVE-2022-0148 | The All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs WordPress plugin before 2.0.4 was vulnerable to reflected XSS on the my-sticky-elements-leads admin page. | [email protected] | 5.4 | 8.70% | 2022-02-07 | 2024-11-21 |
| CVE-2021-25016 | The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting | [email protected] | 6.1 | 15.67% | 2022-01-03 | 2024-11-21 |
| CVE-2021-24425 | The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active) | [email protected] | 4.8 | 0.21% | 2021-08-02 | 2024-11-21 |