CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4970 – Widget Bundle <= 2.0.0 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-4970
31 May 2024 — The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El complemento Widget Bundle de WordPress hasta la versión 2.0.0 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de ... • https://wpscan.com/vulnerability/4a9fc352-7ec2-4992-9cda-7bdca4f42788 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4616 – Widget Bundle <= 2.0.0 - Unauthencated Reflected XSS
https://notcve.org/view.php?id=CVE-2024-4616
31 May 2024 — The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users El complemento Widget Bundle de WordPress hasta la versión 2.0.0 no sanitiza ni escapa un parámetro antes de devolverlo a la página, lo que genera un Cross-Site Scripting Reflejado que podría usarse solo contra usuarios no autenticados. The Widget Bundle plugin for WordPress is vulne... • https://wpscan.com/vulnerability/d203bf3b-aee9-4755-b429-d6bbdd940890 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4969 – Widget Bundle <= 2.0.0 - Widget Disable/Enable via CSRF
https://notcve.org/view.php?id=CVE-2024-4969
31 May 2024 — The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack El complemento Widget Bundle de WordPress hasta la versión 2.0.0 no tiene comprobaciones CSRF al registrar widgets, lo que podría permitir a los atacantes habilitar/deshabilitar los widgets del administrador registrado a través de un ataque CSRF. The Widget Bundle plugin for WordPress is vulnerable to Cross-Site Request ... • https://wpscan.com/vulnerability/1a7ec5dc-eda4-4fed-9df9-f41d2b937fed • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-44236 – WordPress WP Captcha Plugin <= 2.0.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-44236
29 Sep 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Devnath verma WP Captcha plugin <= 2.0.0 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Devnath verma WP Captcha en versiones <= 2.0.0. The WP Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.0. This is due to missing nonce validation on the c4wp_settings_validate function. This makes it possible for unauthenticated attackers to modify the plugin's settings via... • https://patchstack.com/database/vulnerability/wp-captcha/wordpress-wp-captcha-plugin-2-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •