CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35749 – WordPress Under Construction / Maintenance Mode from Acurax plugin <= 2.6 - IP Bypass vulnerability
https://notcve.org/view.php?id=CVE-2024-35749
Authentication Bypass by Spoofing vulnerability in Acurax Under Construction / Maintenance Mode from Acurax allows Authentication Bypass.This issue affects Under Construction / Maintenance Mode from Acurax: from n/a through 2.6. La vulnerabilidad de omisión de autenticación mediante suplantación de identidad en Acurax Under Construction / Maintenance Mode from Acurax permite la omisión de autenticación. Este problema afecta a Under Construction / Maintenance Mode from Acurax: desde n/a hasta 2.6. The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.6 due to insufficient IP address validation and/or use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass controls. • https://patchstack.com/database/vulnerability/coming-soon-maintenance-mode-from-acurax/wordpress-under-construction-maintenance-mode-from-acurax-plugin-2-6-ip-bypass-vulnerability?_s_id=cve • CWE-290: Authentication Bypass by Spoofing CWE-348: Use of Less Trusted Source •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1476 – Under Construction / Maintenance Mode from Acurax <= 2.6 - Information Exposure
https://notcve.org/view.php?id=CVE-2024-1476
The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6 via the REST API. This makes it possible for unauthenticated attackers to obtain the contents of posts and pages when maintenance mode is active thus bypassing the protection provided by the plugin. El modo En construcción/mantenimiento del complemento Acurax para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 2.6 incluida, a través de la API REST. Esto hace posible que atacantes no autenticados obtengan el contenido de publicaciones y páginas cuando el modo de mantenimiento está activo, evitando así la protección proporcionada por el complemento. • https://wordpress.org/plugins/coming-soon-maintenance-mode-from-acurax https://www.wordfence.com/threat-intel/vulnerabilities/id/f28c47e6-a37d-4328-afb2-6a9e6b3fe20a?source=cve • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6922 – Under Construction / Maintenance Mode from Acurax <= 2.6 - Authenticated (Subscriber+) Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2023-6922
The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.6 via the 'acx_csma_subscribe_ajax' function. This can allow authenticated attackers to extract sensitive data such as names and email addresses of subscribed visitors. El modo En construcción/mantenimiento del complemento Acurax para WordPress es vulnerable a la exposición de información confidencial en versiones hasta la 2.6 incluida, a través de la función 'acx_csma_subscribe_ajax'. Esto puede permitir a atacantes autenticados extraer datos confidenciales, como nombres y direcciones de correo electrónico de visitantes suscritos. • https://plugins.trac.wordpress.org/browser/coming-soon-maintenance-mode-from-acurax/trunk/function.php?rev=2539156#L612 https://www.wordfence.com/threat-intel/vulnerabilities/id/2a75f4eb-698b-4c92-9829-de6c55e21ecb?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39926 – WordPress Under Construction / Maintenance Mode from Acurax Plugin <= 2.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-39926
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Acurax Under Construction / Maintenance Mode from Acurax plugin <= 2.6 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Almacenada No Autenticada en el complemento Acurax Under Construction / Maintenance Mode para Acurax en versiones <= 2.6. The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Cross-Site Scripting via an unknown parameter in versions up to, and including, 2.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/coming-soon-maintenance-mode-from-acurax/wordpress-under-construction-maintenance-mode-from-acurax-plugin-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36843 – WordPress Floating Social Media Icon plugin <= 4.3.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-36843
Authenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in WordPress Floating Social Media Icon plugin (versions <= 4.3.5) Social Media Configuration form. Requires high role user like admin. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) autenticado detectada en el plugin Floating Social Media Icon de WordPress (versiones anteriores a 4.3.5 incluyéndola) Formulario de Configuración de Medios Sociales. Requiere un usuario con un rol alto como el de administrador The Social Media Flying Icons | Floating Social Media Icon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 4.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/floating-social-media-icon/wordpress-floating-social-media-icon-plugin-4-3-5-authenticated-stored-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/floating-social-media-icon • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •