CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12591 – MagicPost <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wb_share_social Shortcode
https://notcve.org/view.php?id=CVE-2024-12591
20 Dec 2024 — The MagicPost plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wb_share_social shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3209000%40magicpost&new=3209000%40magicpost&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6318 – IMGspider <= 2.3.10 - Authenticated (Contributor+) Arbitrary File Upload via 'upload_img_file'
https://notcve.org/view.php?id=CVE-2024-6318
03 Jul 2024 — The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_img_file' function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento IMGspider para WordPress es vulnerable a cargas de archivos arbitrarias debido a la falta de validación d... • https://plugins.trac.wordpress.org/browser/imgspider/tags/2.3.10/classes/post.class.php#L122 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6319 – IMGspider <= 2.3.10 - Authenticated (Contributor+) Arbitrary File Upload via 'upload'
https://notcve.org/view.php?id=CVE-2024-6319
03 Jul 2024 — The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento IMGspider para WordPress es vulnerable a cargas de archivos arbitrarias debido a la falta de validación del tipo d... • https://plugins.trac.wordpress.org/browser/imgspider/tags/2.3.10/classes/post.class.php#L189 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26531 – WordPress 多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条 Plugin <= 4.2.7 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-26531
24 Feb 2023 — Cross-Site Request Forgery (CSRF) vulnerability in 闪电博 多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条 plugin <= 4.2.7 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento ??? ????????????-??Baidu/Google/Bing/IndexNow/Yandex/?? • https://patchstack.com/database/vulnerability/baidu-submit-link/wordpress-baidu-google-bing-indexnow-yandex-plugin-4-2-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24976 – Smart SEO Tool < 3.0.6 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24976
22 Dec 2021 — The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting El plugin Smart SEO Tool de WordPress versiones anteriores a 3.0.6, no sanea y escapa del parámetro search antes de devolverlo en un atributo cuando la configuración de optimización TDK está habilitada, conllevando a un ataque de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2637305 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24618 – Donate With QRCode < 1.4.5 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24618
19 Aug 2021 — The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack. El plugin Donate con QRCode de WordPress versiones anteriores a 1.4.5 no sanea ni escapa de su configur... • https://wpscan.com/vulnerability/d50b801a-16b5-45e9-a465-e3bb0445cb49 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •