CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24711 – Software License Manager < 4.5.1 - Arbitrary Domain Deletion via CSRF
https://notcve.org/view.php?id=CVE-2021-24711
The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack La acción AJAX del_reistered_domains del plugin Software License Manager de WordPress versiones anteriores a 4.5.1 no presenta comprobaciones de tipo CSRF, y es vulnerable a un ataque de tipo CSRF The Software License Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the del_reistered_domains AJAX action. This makes it possible for unauthenticated attackers to delete an entry in the plugin's registered domain database table via forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://jetpack.com/2021/09/14/csrf-vulnerability-found-in-software-license-manager-plugin https://wpscan.com/vulnerability/3351bc30-e5ff-471f-8d1c-b1bcdf419937 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24560 – Software License Manager < 4.4.8 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24560
The Software License Manager WordPress plugin before 4.4.8 does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue El plugin Software License Manager de WordPress versiones anteriores a 4.4.8, no sanea o escapa del parámetro edit_record antes de devolverlo a la página en el panel de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/d51fcd97-e535-42dd-997a-edc2f5f12269 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20782 – Software License Manager < 4.4.6 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2021-20782
Cross-site request forgery (CSRF) vulnerability in Software License Manager versions prior to 4.4.6 allows remote attackers to hijack the authentication of administrators via unspecified vectors. Una vulnerabilidad de tipo Cross-site request forgery (CSRF) en Software License Manager versiones anteriores a 4.4.6 permite a atacantes remotos secuestrar la autenticación de los administradores por medio de vectores no especificados • https://jvn.jp/en/jp/JVN89054582/index.html https://wordpress.org/plugins/software-license-manager https://www.tipsandtricks-hq.com/software-license-manager-plugin-for-wordpress • CWE-352: Cross-Site Request Forgery (CSRF) •