CVE-2023-45069 – WordPress Video Gallery – YouTube Gallery Plugin <= 2.1.3 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-45069
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Video Gallery by Total-Soft Video Gallery – Best WordPress YouTube Gallery Plugin allows SQL Injection.This issue affects Video Gallery – Best WordPress YouTube Gallery Plugin: from n/a through 2.1.3. La neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en Video Gallery de Total-Soft Video Gallery - Best WordPress YouTube Gallery Plugin permite la inyección de SQL. Este problema afecta a Video Gallery – Best WordPress YouTube Gallery Plugin para WordPress desde n /a hasta 2.1.3. The Video Gallery – YouTube Gallery plugin for WordPress is vulnerable to SQL Injection via 's' and 'orderby' in versions up to, and including, 2.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/gallery-videos/wordpress-gallery-video-plugin-2-0-2-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-25979 – WordPress Video Gallery – YouTube Gallery Plugin <= 1.7.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-25979
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Video Gallery by Total-Soft Video Gallery plugin <= 1.7.6 versions. The Video Gallery – YouTube Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/gallery-videos/wordpress-video-gallery-youtube-gallery-plugin-1-7-6-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-38067 – WordPress Event Calendar – Calendar plugin <= 1.4.6 - Unauthenticated Event Deletion vulnerability
https://notcve.org/view.php?id=CVE-2022-38067
Unauthenticated Event Deletion vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress. Una vulnerabilidad de Eliminación de Eventos no Autenticada en el plugin Totalsoft Event Calendar - Calendar versiones anteriores a 1.4.6 incluyéndola, en WordPress The Event Calendar plugin for WordPress lacks authorization and capability checks on several of its functions reachable via AJAX actions in versions up to, and including, 1.4.6. This makes it possible for unauthenticated attackers to edit, clone, and delete events. • https://patchstack.com/database/vulnerability/calendar-event/wordpress-event-calendar-calendar-plugin-1-4-6-unauthenticated-event-deletion-vulnerability/_s_id=cve https://wordpress.org/plugins/calendar-event • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVE-2022-36390 – WordPress Event Calendar – Calendar plugin <= 1.4.6 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-36390
Authenticated (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Totalsoft Event Calendar – Calendar plugin <= 1.4.6 at WordPress. Una vulnerabilidad de tipo cross-Site Scripting (XSS) Reflejado y Autenticado (suscriptor+) en el plugin Totalsoft Event Calendar - Calendar versiones anteriores a 1.4.6 incluyéndola, en WordPress The Event Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/calendar-event/wordpress-event-calendar-calendar-plugin-1-4-6-authenticated-reflected-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/calendar-event/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-11673 – TS Poll – Best Poll Plugin for WordPress <1.3.4 - Missing Authorization
https://notcve.org/view.php?id=CVE-2020-11673
An issue was discovered in the Responsive Poll through 1.3.4 for Wordpress. It allows an unauthenticated user to manipulate polls, e.g., delete, clone, or view a hidden poll. This is due to the usage of the callback wp_ajax_nopriv function in Includes/Total-Soft-Poll-Ajax.php for sensitive operations. Se detectó un problema en el Responsive Poll versiones hasta 1.3.4 para Wordpress. Permite a un usuario no autenticado manipular encuestas, por ejemplo, eliminar, clonar o visualizar una encuesta oculta. • https://gist.github.com/pak0s/05a0e517aeff4b1422d1a93f59718459 https://wordpress.org/plugins/poll-wp/#developers • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •