CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24916 – Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending
https://notcve.org/view.php?id=CVE-2021-24916
The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action. El complemento Qubely WordPress anterior a 1.8.6 permite a usuarios no autenticados enviar correos electrónicos arbitrarios a direcciones arbitrarias mediante la acción qubely_send_form_data AJAX. The Qubely plugin for WordPress is vulnerable to unauthorized arbitrary e-mail sending in versions up to, and including, 1.8.5. This is due to insufficient validation on the presence of a contact form block and validation on the email fields in the qubely_send_form_data() function called via an AJAX action. This makes it possible for unauthenticated attackers to send emails with arbitrary content to arbitrary addresses. • https://wpscan.com/vulnerability/93b893be-59ad-4500-8edb-9fa7a45304d5 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0376 – Qubely < 1.8.5 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0376
The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. El complemento Qubely WordPress anterior a 1.8.5 no valida ni escapa algunas de sus opciones de bloqueo antes de devolverlas a una página/publicación donde está incrustado el bloque, lo que podría permitir a los usuarios con el rol de colaborador y superior realizar ataques de cross site scripting almacenado. The Quebely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in versions up to, and including, 1.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/b1aa6f32-c1d5-4fc6-9a4e-d4c5fae78389 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25013 – Qubely < 1.7.8 - Subscriber+ Arbitrary Post Deletion
https://notcve.org/view.php?id=CVE-2021-25013
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts El plugin Qubely de WordPress versiones anteriores a 1.7.8, no presenta autorización y comprobación CSRF en la acción AJAX qubely_delete_saved_block, y no asegura que el bloque que va a ser eliminado pertenezca al plugin, como resultado, cualquier usuario autenticado, como el suscriptor, puede eliminar entradas arbitrarias • https://wpscan.com/vulnerability/e88b7a70-ee71-439f-b3c6-0300adb980b0 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •