CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5663 – News Announcement Scroll <= 9.0.0 - Authenticated (Contributor+) SQL Injection via Shortcode
https://notcve.org/view.php?id=CVE-2023-5663
11 Mar 2024 — The News Announcement Scroll plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. El complemento... • https://plugins.trac.wordpress.org/browser/news-announcement-scroll/tags/9.0.0/news-announcement-scroll.php#L261 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35091 – WordPress WooCommerce Stock Manager Plugin <= 2.10.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-35091
14 Jun 2023 — Cross-Site Request Forgery (CSRF) vulnerability in StoreApps Stock Manager for WooCommerce plugin <= 2.10.0 versions. The Stock Manager for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.10.0. This is due to missing nonce validation on the stock-manager-setting page. This makes it possible for unauthenticated attackers to enable old plugin styles via a forged request granted they can trick a site administrator into performing an action such a... • https://patchstack.com/database/vulnerability/woocommerce-stock-manager/wordpress-stock-manager-for-woocommerce-plugin-2-10-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40694 – WordPress News Announcement Scroll plugin <= 8.8.8 - Auth. Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-40694
17 Nov 2022 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in News Announcement Scroll plugin <= 8.8.8 on WordPress. Vulnerabilidad de Coss-Site Scripting (XSS) autenticada (con permisos de admin o superiores) almacenada en el complemento News Announcement Scroll en WordPress en versiones <= 8.8.8. The News Announcement Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 8.8.8 due to insufficient input sanitization and outp... • https://patchstack.com/database/vulnerability/news-announcement-scroll/wordpress-news-announcement-scroll-plugin-8-8-8-auth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36284 – WordPress Affiliate For WooCommerce premium plugin <= 4.7.0 - Authenticated IDOR vulnerability leading to PayPal email change
https://notcve.org/view.php?id=CVE-2022-36284
01 Aug 2022 — Authenticated IDOR vulnerability in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress allows an attacker to change the PayPal email. WooCommerce PayPal Payments plugin (free) should be at least installed to get the extra input field on the user profile page. Una vulnerabilidad de IDOR autenticado en el plugin StoreApps Affiliate For WooCommerce premium versiones anteriores a 4.7.0 incluyéndola, en WordPress permite a un atacante cambiar el correo electrónico de PayPal. El plugin WooCo... • https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-25649 – WordPress Affiliate For WooCommerce premium plugin <= 4.7.0 - Multiple Improper Access Control vulnerabilities
https://notcve.org/view.php?id=CVE-2022-25649
01 Aug 2022 — Multiple Improper Access Control vulnerabilities in StoreApps Affiliate For WooCommerce premium plugin <= 4.7.0 at WordPress. Múltiples vulnerabilidades de Control de Acceso Inapropiado en el plugin premium StoreApps Affiliate For WooCommerce versiones anteriores a 4.7.0 incluyéndola, en WordPress The Affiliate For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability checks function in versions up to, and including, 4.7.0. This makes it possible for authenticate... • https://dzv365zjfbd8v.cloudfront.net/changelogs/affiliate-for-woocommerce/changelog.txt • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24836 – Temporary Login Without Password < 1.7.1 - Subscriber+ Plugin's Settings Update
https://notcve.org/view.php?id=CVE-2021-24836
15 Nov 2021 — The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them El pluginTemporary Login Without Password de WordPress versiones anteriores a 1.7.1, no presenta comprobaciones de autorización y de tipo CSRF cuando es actualizada su configuración, que podría permitir a cualquier usuario conectado, como los suscriptores, actualizarla • https://wpscan.com/vulnerability/15eed13f-3195-4f5d-8933-36695c830f4f • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-34619 – Cross-Site Request Forgery in WooCommerce Stock Manager WordPress Plugin
https://notcve.org/view.php?id=CVE-2021-34619
14 Jun 2021 — The WooCommerce Stock Manager WordPress plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload in versions up to, and including, 2.5.7 due to missing nonce and file validation in the /woocommerce-stock-manager/trunk/admin/views/import-export.php file. El plugin de WordPress WooCommerce Stock Manager es vulnerable a un ataque de tipo Cross-Site Request Forgery conllevando a una Carga de Archivos Arbitrarios en las versiones hasta 2.5.7 incluyéndola, debido a la falta de nonce y d... • https://plugins.trac.wordpress.org/browser/woocommerce-stock-manager/trunk/admin/views/import-export.php?rev=2499178 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-434: Unrestricted Upload of File with Dangerous Type •