CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24151 – WP Editor < 1.2.7 - Authenticated SQL injection
https://notcve.org/view.php?id=CVE-2021-24151
The WP Editor WordPress plugin before 1.2.7 did not sanitise or validate its setting fields leading to an authenticated (admin+) blind SQL injection issue via an arbitrary parameter when making a request to save the settings. El complemento de WordPress WP Editor anterior a 1.2.7 no sanitizó ni validó sus campos de configuración, lo que provocó un problema de inyección ciega de SQL autenticado (admin+) a través de un parámetro arbitrario al realizar una solicitud para guardar la configuración. The WP Editor plugin for WordPress is vulnerable to blind SQL Injection via the setting fields in versions up to, and including, 1.2.6.3 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated admin+ attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://wpscan.com/vulnerability/5ee77dd7-5a73-4d4e-8038-23e6e763e20c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10886 – WP Editor < 1.2.6 - Incorrect Permission Assignment or Protection
https://notcve.org/view.php?id=CVE-2016-10886
The wp-editor plugin before 1.2.6 for WordPress has incorrect permissions. El plugin wp-editor versiones anteriores a 1.2.6 para WordPress, presenta una vulnerabilidad de tipo CSRF. • https://wordpress.org/plugins/wp-editor/#developers • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10885 – WP Editor < 1.2.6 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2016-10885
The wp-editor plugin before 1.2.6 for WordPress has CSRF. El plugin wp-editor versiones anteriores a 1.2.6 para WordPress, presenta una vulnerabilidad de tipo CSRF. The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 1.2.6. This is due to missing or incorrect nonce validation on the save_settings() function, in addition to a few other functions. This makes it possible for unauthenticated attackers to modify the plugin's settings and upload files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wordpress.org/plugins/wp-editor/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •