25 results (0.007 seconds)

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Wow-Company Woocommerce – Recent Purchases allows PHP Local File Inclusion.This issue affects Woocommerce – Recent Purchases: from n/a through 1.0.1. Limitación inadecuada de un nombre de ruta a una vulnerabilidad de directorio restringido ("Path Traversal") en Wow-Company Woocommerce – Recent Purchases permite la inclusión de archivos locales PHP. Este problema afecta a Woocommerce – Recent Purchases: desde n/a hasta 1.0.1. The Woocommerce – Recent Purchases plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. • https://patchstack.com/database/vulnerability/woo-recent-purchases/woocommerce-recent-purchases-plugin-1-0-1-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Wow-Company Easy Digital Downloads – Recent Purchases allows PHP Remote File Inclusion.This issue affects Easy Digital Downloads – Recent Purchases: from n/a through 1.0.2. Control inadecuado del nombre de archivo para la declaración Incluir/Requerir en el programa PHP ('Inclusión remota de archivos PHP') vulnerabilidad en Wow-Company Easy Digital Downloads – Recent Purchases permite la inclusión remota de archivos PHP. Este problema afecta a Easy Digital Downloads – Recent Purchases: desde n/ a hasta 1.0.2. The Easy Digital Downloads – Recent Purchases plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to include and execute arbitrary files hosted on external server,s allowing the execution of any PHP code in those files. • https://patchstack.com/database/vulnerability/edd-recent-purchases/wordpress-easy-digital-downloads-recent-purchases-plugin-1-0-2-remote-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-829: Inclusion of Functionality from Untrusted Control Sphere •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0

The Sticky Buttons – floating buttons builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via sticky URLs in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. El complemento Sticky Buttons – floating buttons builder para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de URL fijas en todas las versiones hasta la 3.2.2 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso a nivel de administrador, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3024941%40sticky-buttons&new=3024941%40sticky-buttons&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c070be-e955-4076-9878-0b1044766397?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Floating Button.This issue affects Floating Button: from n/a through 6.0. Cross-Site Request Forgery (CSRF) en Wow-Company Floating Button. Este problema afecta a Floating Button: desde n/a hasta 6.0. The Floating Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.0. This is due to missing or incorrect nonce validation on the process_bulk_action function. • https://patchstack.com/database/vulnerability/floating-button/wordpress-floating-button-plugin-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Button Generator – easily Button Builder.This issue affects Button Generator – easily Button Builder: from n/a through 2.3.8. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Wow-Company Button Generator – easily Button Builder. Este problema afecta a Button Generator – easily Button Builder: desde n/a hasta 2.3.8. The Button Generator – easily Button Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.8. This is due to missing nonce validation on the btg_count() function. • https://patchstack.com/database/vulnerability/button-generation/wordpress-button-generator-easily-button-builder-plugin-2-3-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •