CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49159 – WordPress CommentLuv Plugin <= 3.0.4 is vulnerable to Server Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-49159
Server-Side Request Forgery (SSRF) vulnerability in Elegant Digital Solutions CommentLuv.This issue affects CommentLuv: from n/a through 3.0.4. Vulnerabilidad de Server-Side Request Forgery (SSRF) en Elegant Digital Solutions CommentLuv. Este problema afecta a CommentLuv: desde n/a hasta 3.0.4. The CommentLuv plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.4 via the do_click function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. • https://patchstack.com/database/vulnerability/commentluv/wordpress-commentluv-plugin-3-0-4-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 1%CPEs: 53EXPL: 4CVE-2013-1409 – CommentLuv < 2.92.4 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-1409
Cross-site scripting (XSS) vulnerability in the CommentLuv plugin before 2.92.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _ajax_nonce parameter to wp-admin/admin-ajax.php. Vulnerabilidad de XSS en el plugin CommentLuv anterior a 2.92.4 para WordPress permite a atacantes remotos inyectar script Web o HTML arbitrarios a través del parámetro _ajax_nonce hacia wp-admin/admin-ajax.php. The CommentLuv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_ajax_nonce' parameter in versions up to 2.92.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. WordPress CommentLuv version 2.92.3 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/38296 http://archives.neohapsis.com/archives/bugtraq/2013-02/0031.html http://osvdb.org/89925 http://packetstormsecurity.com/files/120090/WordPress-CommentLuv-2.92.3-Cross-Site-Scripting.html http://wordpress.org/plugins/commentluv/changelog https://www.htbridge.com/advisory/HTB23138 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •