CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46821 – WordPress GD Security Headers Plugin <= 1.7 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-46821
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Milan Petrovic GD Security Headers allows auth. (admin+) SQL Injection.This issue affects GD Security Headers: from n/a through 1.7. La neutralización inadecuada de los elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en Milan Petrovic GD Security Headers permite la autenticación. (con permisos de admin o superiores) Inyección SQL. Este problema afecta GD Security Headers: desde n/a hasta 1.7. • https://patchstack.com/database/vulnerability/gd-security-headers/wordpress-gd-security-headers-plugin-1-7-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40330 – WordPress GD Security Headers Plugin <= 1.6.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-40330
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Milan Petrovic GD Security Headers plugin <= 1.6.1 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada en el complemento Milan Petrovic GD Security Headers en versiones <= 1.6.1. The GD Security Headers plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via error message in versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/gd-security-headers/wordpress-gd-security-headers-plugin-1-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3122 – GD Mail Queue <= 3.9.3 - Unauthenticated Stored Cross-Site Scripting via Email
https://notcve.org/view.php?id=CVE-2023-3122
The GD Mail Queue plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 3.9.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/changeset/2923988/gd-mail-queue https://www.wordfence.com/threat-intel/vulnerabilities/id/0b668f45-c7fb-481b-bc8e-115e5b7248c9?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45816 – WordPress GD bbPress Attachments Plugin <= 4.3.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-45816
Auth. Stored Cross-Site Scripting (XSS) vulnerability in GD bbPress Attachments plugin <= 4.3.1 on WordPress. Vulnerabilidad de Cross-Site Scripting (XSS) Almacenado, autenticada en el complemento GD bbPress Attachments en versiones <= 4.3.1 en WordPress. The GD bbPress Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/gd-bbpress-attachments/wordpress-gd-bbpress-attachments-plugin-4-3-1-auth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2015-5482 – GD bbPress Attachments < 2.3 - Directory Traversal
https://notcve.org/view.php?id=CVE-2015-5482
Directory traversal vulnerability in the GD bbPress Attachments plugin before 2.3 for WordPress allows remote administrators to include and execute arbitrary local files via a .. (dot dot) in the tab parameter in the gdbbpress_attachments page to wp-admin/edit.php. Vulnerabilidad de salto de directorio en el plugin GD bbPress Attachments en versiones anteriores a 2.3 para WordPress, permite a administradores remotos incluir y ejecutar archivos locales arbitrarios a través de un .. (punto punto) en el parámetro tab en la página gdbbpress_attachments a wp-admin/edit.php. • https://packetstormsecurity.com/files/132656/wpgdbbpress-lfi.txt https://security.dxw.com/advisories/local-file-include-vulnerability-in-gd-bbpress-attachments-allows-attackers-to-include-arbitrary-php-files https://wordpress.org/plugins/gd-bbpress-attachments/changelog https://wpvulndb.com/vulnerabilities/8087 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •