CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 1CVE-2023-4521 – Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE
https://notcve.org/view.php?id=CVE-2023-4521
28 Aug 2023 — The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not deleting the created files when releasing the new version. El complemento de WordPress Import XML and RSS Feeds anterior a 2.1.5 contiene un shell web que permite a atacantes no autent... • https://wpscan.com/vulnerability/de2cdb38-3a9f-448e-b564-a798d1e93481 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2023-4300 – Import XML and RSS Feeds < 2.1.4 - Admin+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-4300
28 Aug 2023 — The Import XML and RSS Feeds WordPress plugin before 2.1.4 does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution. El complemento de WordPress Import XML y RSS Feeds anterior a 2.1.4 no filtra las extensiones de archivos para los archivos cargados, lo que permite a un atacante cargar un archivo PHP malicioso, lo que lleva a la ejecución remota de código. The Import XML and RSS Feeds plugin for WordPress is vulnerable to arbit... • https://github.com/bde574786/CVE-2023-4300 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4013 – GDPR Cookie Compliance < 4.12.5 - License Update/Deactivation via CSRF
https://notcve.org/view.php?id=CVE-2023-4013
07 Aug 2023 — The GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) WordPress plugin before 4.12.5 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks El plugin de WordPress GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) anterior a 4.12.5 no dispone de comprobaciones CSRF adecuadas al gestionar su licencia, lo que podría permitir a los atacantes hacer que los administradores que han iniciado s... • https://wpscan.com/vulnerability/54e4494c-a280-4d91-803d-7d55159cdbc5 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4150 – User Activity Tracking and Log < 4.0.9 - License Update/Deactivation via CSRF
https://notcve.org/view.php?id=CVE-2023-4150
07 Aug 2023 — The User Activity Tracking and Log WordPress plugin before 4.0.9 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks El plugin de WordPress User Activity Tracking and Log anterior a 4.0.9 no dispone de comprobaciones CSRF adecuadas al gestionar su licencia, lo que podría permitir a los atacantes hacer que los administradores logueados actualicen y desactiven la licencia del plugin mediant... • https://wpscan.com/vulnerability/381ef15b-aafe-4ef4-a0bc-867d891f7f44 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 3CVE-2021-24286 – Redirect 404 to Parent < 1.3.1 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24286
23 Apr 2021 — The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue La página de configuración del plugin de WordPress Redirect 404 to parent versiones anteriores a 1.3.1 no sanea apropiadamente el parámetro tab antes de devolverlo, conllevando a un problema de tipo Cross-Site Scripting reflejado WordPress Redirect 404 to Parent plugin version 1.3.0 suffers from a cross site scr... • https://www.exploit-db.com/exploits/50350 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 3CVE-2021-24287 – Select All Categories and Taxonomies < 1.3.2 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24287
23 Apr 2021 — The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons WordPress plugin before 1.3.2 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue La página de configuración del plugin de WordPress Select All Categories and Taxonomies, Change Checkbox to Radio Buttons versiones anteriores a 1.3.2, no sanea apropiadamente el parámetro tab antes de devolverlo, conllevando a un problema de tipo Cross-Site Script... • https://www.exploit-db.com/exploits/50349 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 46%CPEs: 1EXPL: 1CVE-2020-24148 – Import XML and RSS Feeds <= 2.0.2 - Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2020-24148
13 Apr 2021 — Server-side request forgery (SSRF) in the Import XML and RSS Feeds (import-xml-feed) plugin 2.0.1 for WordPress via the data parameter in a moove_read_xml action. Una vulnerabilidad de tipo Server-side request forgery (SSRF) en el plugin Import XML and RSS Feeds (import-xml-feed) versión 2.0.1 para WordPress, por medio del parámetro data en una acción moove_read_xml The Import XML and RSS Feeds plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 2.0.2 via the ... • https://github.com/dwisiswant0/CVE-2020-24148 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24247 – Contact Form Check Tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24247
10 Apr 2021 — The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin. La configuración del plugin Contact Form Check Tester WordPress versiones hasta 1.0.2, es visible para todos los usuari... • https://www.exploit-db.com/exploits/50703 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-25143 – GDPR Cookie Compliance <= 4.0.2 - Missing Authorization
https://notcve.org/view.php?id=CVE-2019-25143
27 Dec 2019 — The GDPR Cookie Compliance plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the gdpr_cookie_compliance_reset_settings AJAX action in versions up to, and including, 4.0.2. This makes it possible for authenticated attackers to reset all of the settings. • https://blog.nintechnet.com/wordpress-gdpr-cookie-compliance-plugin-fixed-authenticated-settings-deletion-vulnerability • CWE-862: Missing Authorization •