CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24968 – Ultimate FAQ < 2.1.2 - Subscriber+ Arbitrary FAQ Creation
https://notcve.org/view.php?id=CVE-2021-24968
27 Dec 2021 — The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions El plugin Ultimate FAQ de WordPress versiones anteriores a 2.1.2, no tiene capacidad y comprobaciones CSRF en las acciones AJAX ewd_ufaq_welcome_add_faq y ewd_ufaq_welcome_add_faq_page, disponibles para cualquier u... • https://plugins.trac.wordpress.org/changeset/2648562 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7107 – Ultimate FAQ <= 1.8.29 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-7107
06 Jan 2020 — The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS via Display_FAQ to Shortcodes/DisplayFAQs.php. El plugin Ultimate FAQ versión anteriores a 1.8.30 para WordPress, permite un ataque de tipo XSS por medio de la función Display_FAQ en el archivo Shortcodes/DisplayFAQs.php. • https://plugins.trac.wordpress.org/changeset/2222959/ultimate-faqs/tags/1.8.30/Shortcodes/DisplayFAQs.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17233 – Ultimate FAQ <= 1.8.24 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-17233
20 Sep 2019 — Functions/EWD_UFAQ_Import.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows HTML content injection. El archivo Functions/EWD_UFAQ_Import.php en el plugin ultimate-faqs versiones hasta 1.8.24 para WordPress, permite la inyección de contenido HTML. • https://blog.nintechnet.com/unauthenticated-options-import-vulnerability-in-wordpress-ultimate-faq-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17232 – Ultimate FAQ <= 1.8.24 - Unauthenticated Options Import/Export
https://notcve.org/view.php?id=CVE-2019-17232
20 Sep 2019 — Functions/EWD_UFAQ_Import.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows unauthenticated options import. El archivo Functions/EWD_UFAQ_Import.php en el plugin ultimate-faqs versiones hasta 1.8.24 para WordPress, permite la importación de opciones no autenticadas. • https://blog.nintechnet.com/unauthenticated-options-import-vulnerability-in-wordpress-ultimate-faq-plugin • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15643 – Ultimate Faqs <= 1.8.21 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-15643
08 May 2019 — The ultimate-faqs plugin before 1.8.22 for WordPress has XSS. El plugin ultimate-faqs versiones anteriores a 1.8.22 para WordPress, tiene una vulnerabilidad de tipo XSS. • https://wordpress.org/plugins/ultimate-faqs/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •