CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5382 – Funnelforms Free <= 3.4 - Cross-Site Request Forgery to Arbitrary Post Deletion
https://notcve.org/view.php?id=CVE-2023-5382
The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation on the fnsf_delete_posts function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Funnelforms Free para WordPress es vulnerable a Cross-Site Request Forgery en versiones hasta la 3.4 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función fnsf_delete_posts. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/72e4428b-d2cd-471f-9821-947f4601fd64?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5386 – Funnelforms Free <= 3.4 - Missing Authorization to Arbitrary Post Deletion
https://notcve.org/view.php?id=CVE-2023-5386
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts, including administrator posts, and posts not related to the Funnelforms Free plugin. El complemento Funnelforms Free para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función fnsf_delete_posts en versiones hasta la 3.4 incluida. Esto hace posible que atacantes autenticados, con permisos de nivel de suscriptor y superiores, eliminen publicaciones arbitrarias, incluidas publicaciones de administrador y publicaciones no relacionadas con el complemento Funnelforms Free. The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_posts function in versions up to, and including, 3.4. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/400fe58b-8203-4fd5-a3d3-d30eb1b8cd85?source=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5415 – Funnelforms Free <= 3.4 - Missing Authorization to New Category Creation
https://notcve.org/view.php?id=CVE-2023-5415
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_add_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to add new categories. El complemento Funnelforms Free para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función fnsf_add_category en versiones hasta la 3.4 incluida. Esto hace posible que los atacantes autenticados, con permisos de nivel de suscriptor y superiores, agreguen nuevas categorías. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/6ec3051e-a5e4-48ee-8f8e-eb5dbc482f33?source=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5387 – Funnelforms Free <= 3.4 - Missing Authorization to Enable/Disable Dark Mode
https://notcve.org/view.php?id=CVE-2023-5387
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_trigger_dark_mode function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to enable or disable the dark mode plugin setting. El complemento Funnelforms Free para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función fnsf_af2_trigger_dark_mode en versiones hasta la 3.4 incluida. Esto hace posible que los atacantes autenticados, con permisos de nivel de suscriptor y superiores, habiliten o deshabiliten la configuración del complemento del modo oscuro. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/ccb34b44-9fa4-4ebe-b217-b2a42920247f?source=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5416 – Funnelforms Free <= 3.4 - Missing Authorization to Category Deletion
https://notcve.org/view.php?id=CVE-2023-5416
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete categories. El complemento Funnelforms Free para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función fnsf_delete_category en versiones hasta la 3.4 incluida. Esto hace posible que los atacantes autenticados, con permisos de nivel de suscriptor y superiores, eliminen categorías. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/992fc98f-4b23-4596-81fb-5543d82fd615?source=cve • CWE-862: Missing Authorization •