CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36082 – Music Store - WordPress eCommerce <= 1.1.13 - Authenticated (Admin+) SQL Injection
https://notcve.org/view.php?id=CVE-2024-36082
SQL injection vulnerability in Music Store - WordPress eCommerce versions prior to 1.1.14 allows a remote authenticated attacker with an administrative privilege to execute arbitrary SQL commands. Information stored in the database may be obtained or altered by the attacker. Vulnerabilidad de inyección SQL en Music Store - WordPress eCommerce anteriores a la 1.1.14 permiten que un atacante remoto autenticado con privilegios administrativos ejecute comandos SQL arbitrarios. El atacante puede obtener o modificar la información almacenada en la base de datos. The Music Store – WordPress eCommerce plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.1.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://jvn.jp/en/jp/JVN79213252 https://plugins.trac.wordpress.org/changeset?new=3085975%40music-store%2Ftrunk%2Fmusic-store.php&old=3079647%40music-store%2Ftrunk%2Fmusic-store.php https://wordpress.org/plugins/music-store • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35735 – WordPress WP Time Slots Booking Form plugin <= 1.2.11 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-35735
Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.This issue affects WP Time Slots Booking Form: from n/a through 1.2.11. Vulnerabilidad de autorización faltante en CodePeople WP Time Slots Booking Form. Este problema afecta al formulario de reserva de franjas horarias de WP: desde n/a hasta 1.2.11. The WP Time Slots Booking Form plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the data_management() function in versions up to, and including, 1.2.11. This makes it possible for unauthenticated attackers to view slot data. • https://patchstack.com/database/vulnerability/wp-time-slots-booking-form/wordpress-wp-time-slots-booking-form-plugin-1-2-11-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35734 – WordPress WP Time Slots Booking Form plugin <= 1.2.10 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-35734
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CodePeople WP Time Slots Booking Form allows Stored XSS.This issue affects WP Time Slots Booking Form: from n/a through 1.2.10. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en CodePeople WP Time Slots Booking Form permite XSS Almacenado. Este problema afecta el formulario de reserva de franjas horarias de WP: desde n/a hasta 1.2.10. The WP Time Slots Booking Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/wp-time-slots-booking-form/wordpress-wp-time-slots-booking-form-plugin-1-2-10-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31302 – WordPress Contact Form Email plugin <= 1.3.44 - Sensitive Data Exposure vulnerability
https://notcve.org/view.php?id=CVE-2024-31302
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in CodePeople Contact Form Email.This issue affects Contact Form Email: from n/a through 1.3.44. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en CodePeople Contact Form Email. Este problema afecta el correo electrónico del formulario de contacto: desde n/a hasta 1.3.44. The Contact Form Email plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.44 via log files. This makes it possible for unauthenticated attackers to extract sensitive data from log files. • https://patchstack.com/database/vulnerability/contact-form-to-email/wordpress-contact-form-email-plugin-1-3-44-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2020 – Calculated Fields Form Professional <= 5.1.56 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-2020
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the professional version or higher. El complemento Calculated Fields Form para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro href de la página del formulario en todas las versiones hasta la 5.1.56 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://wordpress.org/plugins/calculated-fields-form/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/45bfa9fb-f35b-4fd4-8553-cf87bf69df6b?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •