CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47517 – WordPress SendPress Newsletters Plugin <= 1.23.11.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-47517
07 Nov 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in SendPress Newsletters plugin <= 1.23.11.6 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada en el complemento SendPress Newsletters en versiones <= 1.23.11.6. The SendPress Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 1.23.11.6 due to insufficient input sanitization and output escaping. This makes it possible for una... • https://patchstack.com/database/vulnerability/sendpress/wordpress-sendpress-newsletters-plugin-1-22-3-31-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5660 – SendPress Newsletters <= 1.22.3.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2023-5660
06 Nov 2023 — The SendPress Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.22.3.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento SendPress Newsletters para WordPress es v... • https://plugins.trac.wordpress.org/browser/sendpress/tags/1.22.3.31/classes/sc/class-sendpress-sc-unsubscribe-form.php#L57 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41729 – WordPress SendPress Newsletters Plugin <= 1.22.3.31 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-41729
05 Sep 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SendPress Newsletters plugin <= 1.22.3.31 versions. Vulnerabilidad de Coss-Site Scripting (XSS) autenticada (con permisos de admin o superiores) almacenada en el complemento SendPress Newsletters en versiones <= 1.22.3.31. The SendPress Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.23.11.6 due to insufficient input sanitization and output escaping. This ... • https://patchstack.com/database/vulnerability/sendpress/wordpress-sendpress-newsletters-plugin-1-22-3-31-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41730 – WordPress SendPress Newsletters Plugin <= 1.22.3.31 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-41730
05 Sep 2023 — Cross-Site Request Forgery (CSRF) vulnerability in SendPress Newsletters plugin <= 1.22.3.31 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento SendPress Newsletters en versiones <= 1.22.3.31. The SendPress Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.23.11.6. This is due to missing nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unauthorized action ... • https://patchstack.com/database/vulnerability/sendpress/wordpress-sendpress-newsletters-plugin-1-22-3-31-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35040 – WordPress SendPress Newsletters plugin <= 1.23.11.6 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-35040
11 Aug 2023 — Missing Authorization vulnerability in SendPress SendPress Newsletters.This issue affects SendPress Newsletters: from n/a through 1.23.11.6. Vulnerabilidad de autorización faltante en SendPress SendPress Newsletters. Este problema afecta a SendPress Newsletters: desde n/a hasta 1.23.11.6. The SendPress Newsletters plugin for WordPress is vulnerable to unauthorized modification of due to a missing capability check on multiple REST routes that initiate cron execution in versions up to, and including, 1.23.11.... • https://patchstack.com/database/vulnerability/sendpress/wordpress-sendpress-newsletters-plugin-1-22-3-31-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2015-9448 – SendPress Newsletters < 1.2 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2015-9448
23 Jul 2015 — The sendpress plugin before 1.2 for WordPress has SQL Injection via the wp-admin/admin.php?page=sp-queue listid parameter. El plugin sendpress versiones anteriores a 1.2 para WordPress, presenta una inyección SQL por medio del parámetro listid de wp-admin/admin.php?page=sp-queue. • http://cinu.pl/research/wp-plugins/mail_8a2f7613577ea8e613ec274aeec14527.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •