CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47354 – WordPress Simple Membership After Login Redirection plugin <= 1.6 - Open Redirection vulnerability
https://notcve.org/view.php?id=CVE-2024-47354
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in smp7, wp.Insider Simple Membership After Login Redirection.This issue affects Simple Membership After Login Redirection: from n/a through 1.6. The Simple Membership After Login Redirection plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.6. This is due to insufficient validation on the redirect url supplied via the 'swpm_redirect_to' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. • https://patchstack.com/database/vulnerability/simple-membership-after-login-redirection/wordpress-simple-membership-after-login-redirection-plugin-1-6-open-redirection-vulnerability?_s_id=cve • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30506 – WordPress All In One Redirection plugin <= 2.2.0 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-30506
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vsourz Digital All In One Redirection allows Stored XSS.This issue affects All In One Redirection: from n/a through 2.2.0. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en All In One Redirection de Vsourz Digital para WordPress permite XSS almacenado. Este problema afecta a All In One Redirection: desde n/a hasta 2.2.0. The All In One Redirection plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/all-in-one-redirection-404-pages-list/wordpress-all-in-one-redirection-plugin-2-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36913 – Redirection for Contact Form 7 <= 2.4.0 - Unauthenticated Options Change and Content Injection vulnerability
https://notcve.org/view.php?id=CVE-2021-36913
Unauthenticated Options Change and Content Injection vulnerability in Qube One Redirection for Contact Form 7 plugin <= 2.4.0 at WordPress allows attackers to change options and inject scripts into the footer HTML. Requires an additional extension (plugin) AccessiBe. Una vulnerabilidad de cambio de opciones sin autenticación e inyección de contenido en el plugin Qube One Redirection for Contact Form 7 versiones anteriores a 2.4.0 incluyéndola en WordPress, permite a atacantes cambiar opciones e inyectar scripts en el HTML del pie de página. Requiere una extensión adicional (plugin) AccessiBe The Redirection for Contact Form 7 plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on an unknown function in versions up to, and including, 2.4.0. This makes it possible for unauthenticated attackers to update the plugin's options. • https://patchstack.com/database/vulnerability/wpcf7-redirect/wordpress-redirection-for-contact-form-7-plugin-2-4-0-unauthenticated-options-change-vulnerability?_s_id=cve https://wordpress.org/plugins/wpcf7-redirect/#developers • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0250 – Redirection for Contact Form 7 < 2.5.0 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0250
The Redirection for Contact Form 7 WordPress plugin before 2.5.0 does not escape a link generated before outputting it in an attribute, leading to a Reflected Cross-Site Scripting El plugin Redirection for Contact Form 7 de WordPress versiones anteriores a 2.5.0, no escapa a un enlace generado antes de emitirlo en un atributo, conllevando a un ataque de tipo Cross-Site Scripting reflejado • https://wpscan.com/vulnerability/05700942-3143-4978-89eb-814ceff74867 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000504 – Redirection <= 2.7.3 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2018-1000504
Redirection version 2.7.3 contains a ACE via file inclusion vulnerability in Pass-through mode that can result in allows admins to execute any PHP file in the filesystem. This attack appear to be exploitable via Attacker must be have access to an admin account on the target site. This vulnerability appears to have been fixed in 2.8. Redirection 2.7.3 contiene un ACE mediante una vulnerabilidad de inclusión de archivos en el modo Pass-through que puede resultar en que los administradores puedan ejecutar cualquier archivo PHP en el sistema de archivos. Para explotar este ataque, el atacante debe tener acceso a una cuenta de administrador en el sitio objetivo. • https://advisories.dxw.com/advisories/ace-file-inclusion-redirection • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •