CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4100 – Pricing Table <= 2.0.1 - Cross-Site Request Forgery via ajax()
https://notcve.org/view.php?id=CVE-2024-4100
The Pricing Table plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the ajax() function. This makes it possible for unauthenticated attackers to perform a variety of actions related to managing pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Pricing Table para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 2.0.1 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función ajax(). • https://plugins.trac.wordpress.org/browser/elfsight-pricing-table/trunk/core/includes/widgets-api.php#L71 https://www.wordfence.com/threat-intel/vulnerabilities/id/4cb3d2d4-256c-4128-9397-8b9c7be1b9c8?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4102 – Pricing Table <= 2.0.1 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-4102
The Pricing Table plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions like editing pricing tables. El complemento Pricing Table para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de capacidad en la función ajax() en todas las versiones hasta la 2.0.1 incluida. Esto hace posible que atacantes autenticados, con acceso a nivel de suscriptor y superior, realicen acciones no autorizadas como editar tablas de precios. • https://plugins.trac.wordpress.org/browser/elfsight-pricing-table/trunk/core/includes/widgets-api.php#L71 https://www.wordfence.com/threat-intel/vulnerabilities/id/aa769d51-8718-42e9-9070-0b878442dbc7?source=cve • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 9%CPEs: 1EXPL: 1CVE-2022-0867 – ARPrice Lite < 3.6.1 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-0867
The Pricing Table WordPress plugin before 3.6.1 fails to properly sanitize and escape user supplied POST data before it is being interpolated in an SQL statement and then executed via an AJAX action available to unauthenticated users El plugin Pricing Table de WordPress versiones anteriores a 3.6.1, no sanea ni escapa de los datos POST suministrados por el usuario antes de que sean interpolados en una sentencia SQL y sean ejecutados por medio de una acción AJAX disponible para usuarios no autenticados • https://wpscan.com/vulnerability/62803aae-9896-410b-9398-3497a838e494 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36896 – WordPress Pricing Table plugin <= 1.5.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-36896
Authenticated (author or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Pricing Table (WordPress plugin) versions <= 1.5.2 Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado Autenticado (autor o rol de usuario superior) en Pricing Table (plugin de WordPress) versiones anteriores a 1.5.2 incluyéndola • https://patchstack.com/database/vulnerability/pricing-table/wordpress-pricing-table-plugin-1-5-2-authenticated-stored-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/pricing-table/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •