CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40558 – WordPress Video Gallery & Management Plugin <= 3.3.5 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-40558
Cross-Site Request Forgery (CSRF) vulnerability in eMarket Design YouTube Video Gallery by YouTube Showcase plugin <= 3.3.5 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en eMarket Design YouTube Video Gallery mediante el complemento YouTube Showcase en versiones <= 3.3.5. The Video Gallery & Management plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.5. This is due to missing nonce validation on the emd_show_forms_lite_page() function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/youtube-showcase/wordpress-video-gallery-management-plugin-3-3-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2240 – Request a Quote <= 2.3.7 - CSV Injection
https://notcve.org/view.php?id=CVE-2022-2240
The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it El plugin Request a Quote de WordPress versiones hasta 2.3.7, no comprueba los archivos CSV subidos, lo que permite a usuarios no autenticados adjuntar un archivo CSV malicioso a un presupuesto, lo que podría conllevar a una inyección CSV una vez que un administrador lo descargue y lo abra The Request a Quote WordPress plugin through 2.3.8 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it • https://wpscan.com/vulnerability/6a3a573e-f9f2-45ec-9156-332cc551fc7e • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2239 – Request a Quote < 2.3.9 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2239
The Request a Quote WordPress plugin before 2.3.9 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Request a Quote de WordPress versiones hasta 2.3.7, no sanea y escapa de algunos de sus parámetros, permitiendo a usuarios con altos privilegios, como los administradores, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html está deshabilitada The Request a Quote WordPress plugin through 2.3.7 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. • https://wpscan.com/vulnerability/42127d96-547f-46cb-95d0-a19a8fe7580e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2151 – Best Contact Management Software <= 3.7.3 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2151
The Best Contact Management Software WordPress plugin through 3.7.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Best Contact Management Software de WordPress versiones hasta 3.7.3, no sanea ni escapa de su configuración, lo que permite a usuarios con altos privilegios, como los administradores, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html está deshabilitada The Best Contact Management Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "No Access Message" setting in versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/7c08e4c1-57c5-471c-a990-dcb9fd7ce0f4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24622 – WP Ticket < 5.10.4 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24622
The Customer Service Software & Support Ticket System WordPress plugin before 5.10.4 does not sanitize or escape form fields before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Customer Service Software & Support Ticket System de WordPress versiones anteriores a 5.10.4, no sanea ni escapa los campos de los formularios antes de mostrarlos en la lista, que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html no está permitida • https://wpscan.com/vulnerability/41a2c72c-7db1-473a-8844-47f6ae9d0594 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •