CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6020 – Sign-up Sheets < 2.2.13 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-6020
The Sign-up Sheets WordPress plugin before 2.2.13 does not escape some generated URLs, as well as the $_SERVER['REQUEST_URI'] parameter before outputting them back in attributes, which could lead to Reflected Cross-Site Scripting. The Sign-up Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['REQUEST_URI'] without appropriate escaping on the URL in all versions up to, and including, 2.2.12. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/f3526320-3abd-4ddb-8f73-778741bd9c48 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39165 – WordPress Sign-up Sheets Plugin <= 2.2.8 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-39165
Cross-Site Request Forgery (CSRF) vulnerability in Fetch Designs Sign-up Sheets plugin <= 2.2.8 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Fetch Designs Sign-up Sheets en versiones <= 2.2.8. The Sign-up Sheets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.8. This is due to missing nonce validation on the maybeProcessReset() and maybeProcessSave() functions. This makes it possible for unauthenticated attackers to save and reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/sign-up-sheets/wordpress-sign-up-sheets-plugin-2-2-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24440 – Sign-up Sheets < 1.0.14 - Authenticated Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24440
The Sign-up Sheets WordPress plugin before 1.0.14 did not sanitise or escape some of its fields when creating a new sheet, allowing high privilege users to add JavaScript in them, leading to a Stored Cross-Site Scripting issue. The payloads will be triggered when viewing the 'All Sheets' page in the admin dashboard El plugin Sign-up Sheets WordPress versiones anteriores a 1.0.14, no saneaba o escapaba de algunos de sus campos cuando se crea una nueva hoja, permitiendo a usuarios con altos privilegios añadir JavaScript en ellos, conllevando un problema de tipo Cross-Site Scripting Almacenado. Las cargas útiles son desencadenadas cuando se visualiza la página "All Sheets" en el panel de administración • https://wpscan.com/vulnerability/ba4503f7-684e-4274-bc53-3aa848712496 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24441 – Sign-up Sheets < 1.0.14 - Authenticated CSV Injection
https://notcve.org/view.php?id=CVE-2021-24441
The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue El plugin Sign-up Sheets WordPress versiones anteriores a 1.0.14, no sanea ni comprueba el título Sheet cuando genera el CSV para exportar, lo que podría conllevar a un problema de inyección CSV • https://wpscan.com/vulnerability/ec9292b1-5cbd-4332-bdb6-2351c94f5ac6 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •