CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6446 – Calculated Fields Form <= 1.2.40 - Authenticated (Admin+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6446
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. El complemento Calculated Fields Form para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de la configuración de administrador en todas las versiones hasta la 1.2.40 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con permisos de nivel de administrador y superiores, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset/3005354/calculated-fields-form https://www.wordfence.com/threat-intel/vulnerabilities/id/c879123c-531e-43d8-a7d3-16a3c86b68a3?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-87: Improper Neutralization of Alternate XSS Syntax •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41732 – WordPress CP Blocks Plugin <= 1.0.20 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-41732
Cross-Site Request Forgery (CSRF) vulnerability in CodePeople CP Blocks plugin <= 1.0.20 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento CodePeople CP Blocks en versiones <= 1.0.20. The CP Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.20. This is due to incorrect nonce validation in the admin-int-license.inc.php file. This makes it possible for unauthenticated attackers to update the license key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/cp-blocks/wordpress-cp-blocks-plugin-1-0-20-csrf-leading-to-plugin-settings-change-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4034 – Appointment Hour Booking <= 1.3.72 - CSV Injection
https://notcve.org/view.php?id=CVE-2022-4034
The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a site's administrator exports booking details. This can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. El complemento Appointment Hour Booking para WordPress es vulnerable a la inyección CSV en versiones hasta la 1.3.72 incluida. Esto hace posible que atacantes no autenticados incorporen entradas no confiables en contenido durante la creación de reservas que pueden exportarse como un archivo CSV cuando el administrador de un sitio exporta los detalles de la reserva. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2803896%40appointment-hour-booking&new=2803896%40appointment-hour-booking&sfp_email=&sfph_mail= https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4034 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4035 – Appointment Hour Booking <= 1.3.72 - Unauthenticated iFrame Injection via Appointment Form
https://notcve.org/view.php?id=CVE-2022-4035
The Appointment Hour Booking plugin for WordPress is vulnerable to iFrame Injection via the ‘email’ or general field parameters in versions up to, and including, 1.3.72 due to insufficient input sanitization and output escaping that makes injecting iFrame tags possible. This makes it possible for unauthenticated attackers to inject iFrames when submitting a booking that will execute whenever a user accesses the injected booking details page. El complemento Appointment Hour Booking para WordPress es vulnerable a la inyección de iFrame a través del correo electrónico o parámetros de campo generales en versiones hasta la 1.3.72 incluida debido a una sanitización de entrada y un escape de salida insuficientes que hacen posible la inyección de etiquetas iFrame. Esto hace posible que atacantes no autenticados inyecten iFrames al enviar una reserva que se ejecutará cada vez que un usuario acceda a la página de detalles de la reserva inyectada. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2803896%40appointment-hour-booking&new=2803896%40appointment-hour-booking&sfp_email=&sfph_mail= https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4035 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4036 – Appointment Hour Booking <= 1.3.72 - CAPTCHA Bypass
https://notcve.org/view.php?id=CVE-2022-4036
The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie. El complemento Appointment Hour Booking para WordPress es vulnerable a la omisión de CAPTCHA en versiones hasta la 1.3.72 incluida. Esto se debe al uso de un algoritmo hash insuficientemente potente en el secreto del CAPTCHA, que también se muestra al usuario a través de una cookie. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2803896%40appointment-hour-booking&new=2803896%40appointment-hour-booking&sfp_email=&sfph_mail= https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-4036 • CWE-326: Inadequate Encryption Strength CWE-804: Guessable CAPTCHA •