CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45069 – WordPress Video Gallery – YouTube Gallery Plugin <= 2.1.3 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-45069
03 Oct 2023 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Video Gallery by Total-Soft Video Gallery – Best WordPress YouTube Gallery Plugin allows SQL Injection.This issue affects Video Gallery – Best WordPress YouTube Gallery Plugin: from n/a through 2.1.3. La neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en Video Gallery de Total-Soft Video Gallery - Best WordPress YouTube Gallery Plugin permi... • https://patchstack.com/database/vulnerability/gallery-videos/wordpress-gallery-video-plugin-2-0-2-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27456 – WordPress Total theme <= 2.1.19 - Authenticated Arbitrary Plugin Activation
https://notcve.org/view.php?id=CVE-2023-27456
01 Mar 2023 — Missing Authorization vulnerability in HashThemes Total allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total: from n/a through 2.1.19. The Total theme for WordPress is vulnerable to Plugin Activation due to insufficient capability and nonce checks on the 'activate_plugin' function in versions up to, and including, 2.1.19. This allows any authenticated attacker with subscriber-level capabilities or greater to activate arbitrary plugins already installed on the site... • https://patchstack.com/database/wordpress/theme/total/vulnerability/wordpress-total-theme-2-1-19-authenticated-arbitrary-plugin-activation?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25979 – WordPress Video Gallery – YouTube Gallery Plugin <= 1.7.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-25979
20 Feb 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Video Gallery by Total-Soft Video Gallery plugin <= 1.7.6 versions. The Video Gallery – YouTube Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user a... • https://patchstack.com/database/vulnerability/gallery-videos/wordpress-video-gallery-youtube-gallery-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3096 – WP Total Hacks <= 4.7.2 - Subscriber+ Arbitrary Options Update to Stored XSS
https://notcve.org/view.php?id=CVE-2022-3096
10 Oct 2022 — The WP Total Hacks WordPress plugin through 4.7.2 does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well. El complemento de WordPress WP Total Hacks hasta 4.7.2 no impide que los usuarios con privilegios bajos modifiquen la configuración del complemento. Esto podría permitir a usuarios como suscriptores re... • https://wpscan.com/vulnerability/46996537-a874-4b2e-9cd7-7d0832f9704d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36390 – WordPress Event Calendar – Calendar plugin <= 1.4.6 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-36390
25 Aug 2022 — Authenticated (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress. Una vulnerabilidad de tipo cross-Site Scripting (XSS) Reflejado y Autenticado (suscriptor+) en el plugin Totalsoft Event Calendar - Calendar versiones anteriores a 1.4.6 incluyéndola, en WordPress The Event Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.4.6 due to insufficient input sanitization ... • https://patchstack.com/database/vulnerability/calendar-event/wordpress-event-calendar-calendar-plugin-1-4-6-authenticated-reflected-cross-site-scripting-xss-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38067 – WordPress Event Calendar – Calendar plugin <= 1.4.6 - Unauthenticated Event Deletion vulnerability
https://notcve.org/view.php?id=CVE-2022-38067
25 Aug 2022 — Unauthenticated Event Deletion vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress. Una vulnerabilidad de Eliminación de Eventos no Autenticada en el plugin Totalsoft Event Calendar - Calendar versiones anteriores a 1.4.6 incluyéndola, en WordPress The Event Calendar plugin for WordPress lacks authorization and capability checks on several of its functions reachable via AJAX actions in versions up to, and including, 1.4.6. This makes it possible for unauthenticated attackers to... • https://patchstack.com/database/vulnerability/calendar-event/wordpress-event-calendar-calendar-plugin-1-4-6-unauthenticated-event-deletion-vulnerability/_s_id=cve • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2020-11673 – TS Poll – Best Poll Plugin for WordPress <1.3.4 - Missing Authorization
https://notcve.org/view.php?id=CVE-2020-11673
13 Apr 2020 — An issue was discovered in the Responsive Poll through 1.3.4 for Wordpress. It allows an unauthenticated user to manipulate polls, e.g., delete, clone, or view a hidden poll. This is due to the usage of the callback wp_ajax_nopriv function in Includes/Total-Soft-Poll-Ajax.php for sensitive operations. Se detectó un problema en el Responsive Poll versiones hasta 1.3.4 para Wordpress. Permite a un usuario no autenticado manipular encuestas, por ejemplo, eliminar, clonar o visualizar una encuesta oculta. • https://gist.github.com/pak0s/05a0e517aeff4b1422d1a93f59718459 • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-0263
https://notcve.org/view.php?id=CVE-2007-0263
16 Jan 2007 — Unspecified vulnerability in Total Commander before 6.5.6 allows user-assisted remote attackers to delete arbitrary files and corrupt a filesystem via a crafted RAR file. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. Vulnerabilidad desconocida en Total Commander versiones anteriores a 6.5.6, permite a atacantes remotos con la complicidad del usuario borrar ficheros de su elección y corromper el sistema de ficheros mediante un fichero RAR m... • http://osvdb.org/39837 •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2006-3956
https://notcve.org/view.php?id=CVE-2006-3956
01 Aug 2006 — Multiple cross-site scripting (XSS) vulnerabilities in contact.php in Advanced Webhost Billing System (AWBS) 2.2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) AccountUsername and (3) Message parameters. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en contact.php en Advanced Webhost Billing System (AWBS) 2.2.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de los parámetros (1) Name, (2) AccountUsername ... • http://secunia.com/advisories/21296 •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2001-1204
https://notcve.org/view.php?id=CVE-2001-1204
28 Dec 2001 — Directory traversal vulnerability in phprocketaddin in Total PC Solutions PHP Rocket Add-in for FrontPage 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the page parameter. Vulnerabilidad de atravesamiento de directorios en phprocketaddin en 'Total PC Solutions PHP Rocket Add-in' para FrontPage 1.0 permite a atacantes remotos leer ficheros arbitrarios mediante .. (punto punto) en el parámetro página. • http://www.securityfocus.com/archive/1/247559 •