CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6987 – String Locator <= 2.6.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6987
23 Aug 2024 — The String locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sql-column' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This required WP_DEBUG to be enabled in order to be exploited. • https://plugins.trac.wordpress.org/changeset/3139143/string-locator/tags/2.6.6/includes/Extension/SQL/views/editor/sql.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6397 – InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.44 - Authentication Bypass to Admin
https://notcve.org/view.php?id=CVE-2024-6397
10 Jul 2024 — The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploi... • https://plugins.trac.wordpress.org/browser/instawp-connect/tags/0.1.0.43/includes/apis/class-instawp-rest-api.php#L256 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37228 – WordPress InstaWP Connect plugin <= 0.1.0.38 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-37228
21 Jun 2024 — Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.38. The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make r... • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2024-4898 – InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation
https://notcve.org/view.php?id=CVE-2024-4898
11 Jun 2024 — The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts. El complemento InstaWP Connect – 1-click WP Staging & Migration para WordPress es vulnerable a actualizaciones de opciones arbitrari... • https://github.com/truonghuuphuc/CVE-2024-4898-Poc • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32701 – WordPress InstaWP Connect plugin <= 0.1.0.24 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-32701
22 Apr 2024 — Missing Authorization vulnerability in InstaWP Team InstaWP Connect.This issue affects InstaWP Connect: from n/a through 0.1.0.24. Vulnerabilidad de autorización faltante en InstaWP Team InstaWP Connect. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.24. The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in versions up to, and including, 0.1.0.24. This makes it possible for authenticated attackers, with subscrib... • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-24-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2024-2667 – InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.22 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-2667
12 Apr 2024 — The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files. El complemento InstaWP Connect – 1-click WP Staging & Migration para WordPress es vulnerable a cargas de archivos arbitrarias debido a una validación de archivos insufici... • https://github.com/Puvipavan/CVE-2024-2667 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25918 – WordPress InstaWP Connect plugin <= 0.1.0.8 - Auth. Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-25918
14 Feb 2024 — Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.8. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en InstaWP Team InstaWP Connect permite la inyección de código. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.8. The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up ... • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-8-remote-code-execution-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23506 – WordPress InstaWP Connect Plugin <= 0.1.0.9 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2024-23506
24 Jan 2024 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9. Vulnerabilidad de exposición de información confidencial a un actor no autorizado en InstaWP Team InstaWP Connect – 1-click WP Staging & Migration. Este problema afecta a InstaWP Connect – 1-click WP Staging & Migration: desde n/a hasta 0.1.0.9. The InstaWP Connect – 1-c... • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23507 – WordPress InstaWP Connect Plugin <= 0.1.0.9 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2024-23507
24 Jan 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en InstaWP Team InstaWP Connect – 1-click WP Staging & Migration. Este problema afecta a InstaWP Connect – 1-click WP Staging & M... • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-9-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-22145 – WordPress InstaWP Connect plugin <= 0.1.0.8 - Arbitrary Option Update to Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2024-22145
17 Jan 2024 — Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8. Vulnerabilidad de gestión de privilegios incorrecta en InstaWP Team InstaWP Connect permite la escalada de privilegios. Este problema afecta a InstaWP Connect: desde n/a hasta 0.1.0.8. The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on... • https://github.com/RandomRobbieBF/CVE-2024-22145 • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •