CVE-2023-41797 – WordPress Locations Plugin <= 4.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-41797
05 Sep 2023 — Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Gold Plugins Locations plugin <= 4.0 versions. Vulnerabilidad de Coss-Site Scripting (XSS) autenticada (con permisos de colaboradores o superiores) almacenada en el complemento Gold Plugins Locations en versiones <= 4.0. The Locations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in versions up to, and including, 4.0 due to insufficient input sanitization and output escaping on user supp... • https://patchstack.com/database/vulnerability/locations/wordpress-locations-plugin-4-0-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-4577 – Easy Testimonials < 3.9.3 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-4577
10 Jan 2023 — The Easy Testimonials WordPress plugin before 3.9.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. The Easy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 3.9.2 due to insufficient input sanit... • https://wpscan.com/vulnerability/85d9fad7-ba3d-4140-ae05-46262d2643e6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-4394 – Locations <= 3.2.1 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4394
05 Jul 2021 — The Locations plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.1. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to update custom field meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-4397 – Staff Directory Plugin <= 3.6 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4397
21 Jun 2021 — The Staff Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to save custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-4407 – Custom Banners <= 3.2.2 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4407
01 Mar 2021 — The Custom Banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.2 This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to save custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2020-36749 – Easy Testimonials <= 3.6.1 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36749
16 Sep 2020 — The Easy Testimonials plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6.1. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to save custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2020-14959 – Easy Testimonials <= 3.5.2 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-14959
13 May 2020 — Multiple XSS vulnerabilities in the Easy Testimonials plugin before 3.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the wp-admin/post.php Client Name, Position, Web Address, Other, Location Reviewed, Product Reviewed, Item Reviewed, or Rating parameter. Múltiples vulnerabilidades de tipo XSS en el plugin Easy Testimonials versiones anteriores a 3.6 para WordPress, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro Client Name, Posit... • https://wpvulndb.com/vulnerabilities/10223 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-19564 – Easy Testimonials <= 3.5.2 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-19564
26 Nov 2018 — Stored XSS was discovered in the Easy Testimonials plugin 3.2 for WordPress. Three wp-admin/post.php parameters (_ikcf_client and _ikcf_position and _ikcf_other) have Cross-Site Scripting. Se ha descubierto Cross-Site Scripting (XSS) persistente en el plugin 3.2 "Easy Testimonials" para WordPress. Tres parámetros en wp-admin/post.php (_ikcf_client, _ikcf_position y _ikcf_other) tienen Cross-Site Scripting (XSS). Stored XSS was discovered in the Easy Testimonials plugin 3.5.2 for WordPress. • https://www.exploit-db.com/exploits/45900 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-12131 – Easy Testimonials <= 3.0.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-12131
31 Jul 2017 — The Easy Testimonials plugin 3.0.4 for WordPress has XSS in include/settings/display.options.php, as demonstrated by the Default Testimonials Width, View More Testimonials Link, and Testimonial Excerpt Options screens. El plugin Easy Testimonials en su versión 3.0.4 para WordPress tiene una vulnerabilidad de tipo Cross-Site Scripting (XSS) en include/settings/display.options.php, tal y como lo demuestran las pantallas de Default Testimonials Width, View More Testimonials Link y Testimonial Excerpt Options. • https://github.com/kevins1022/cve/blob/master/wordpress-Easy-Testimonials.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-9418 – WP-Testimonials <= 3.4.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2017-9418
02 Jun 2017 — SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for WordPress allows an authenticated user to execute arbitrary SQL commands via the testid parameter to wp-admin/admin.php. Una vulnerabilidad de inyección SQL en el plugin WP-Testimonials versión 3.4.1 para WordPress, permite a un usuario autenticado ejecutar comandos SQL arbitrarios por medio del parámetro testid en el archivo wp-admin/admin.php. WordPress WP-Testimonials plugin versions prior to 3.4.1 suffer from a remote SQL injection vuln... • https://packetstorm.news/files/id/142912 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •