CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9201 – SQL injection vulnerability in SEUR plugin
https://notcve.org/view.php?id=CVE-2024-9201
10 Oct 2024 — The SEUR plugin, in its versions prior to 2.5.11, is vulnerable to time-based SQL injection through the use of the ‘id_order’ parameter of the ‘/modules/seur/ajax/saveCodFee.php’ endpoint. The SEUR Oficial plugin for WordPress is vulnerable to SQL Injection via the 'id_order' parameter of the '/modules/seur/ajax/saveCodFee.php' file in all versions up to, and including, 2.2.10.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This mak... • https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-vulnerability-seur-plugin • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25004 – SEUR Oficial < 1.7.2 - Admin+ Arbitrary File Download
https://notcve.org/view.php?id=CVE-2021-25004
10 Jan 2022 — The SEUR Oficial WordPress plugin before 1.7.2 creates a PHP file with a random name when installed, even though it is used for support purposes, it allows to download any file from the web server without restriction after knowing the URL and a password than an administrator can see in the plugin settings page. El plugin SEUR Oficial de WordPress versiones anteriores a 1.7.2, crea un archivo PHP con un nombre aleatorio cuando es instalado, aunque es usado con fines de soporte, permite descargar cualquier ar... • https://wpscan.com/vulnerability/cfbc2b43-b8f8-4bcb-a3d3-39d217afa530 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25005 – SEUR Oficial < 1.7.0 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25005
20 Dec 2021 — The SEUR Oficial WordPress plugin before 1.7.0 does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed El plugin SEUR Oficial de WordPress versiones anteriores a 1.7.0 no sanea ni escapa de algunas de sus configuraciones, lo que permite a los usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html no está permitida • https://wpscan.com/vulnerability/af7d62ca-09b3-41c8-b771-be936ce8f6b2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •