CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4962 – Video PopUp <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2023-4962
04 Dec 2023 — The Video PopUp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'video_popup' shortcode in versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Video PopUp para WordPress es vulnerable a Cross-Site Scripti... • https://plugins.trac.wordpress.org/browser/video-popup/trunk/features/shortcode.php?rev=2928708#L144 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 16EXPL: 0CVE-2013-2693 – WP-Print <= 2.51 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2013-2693
05 Apr 2013 — Cross-site request forgery (CSRF) vulnerability in the Options in the WP-Print plugin before 2.52 for WordPress allows remote attackers to hijack the authentication of administrators for requests that manipulate plugin settings via unspecified vectors. Vulnerabilidad de CSRF en las opciones en el plugin WP-Print anterior a 2.52 para WordPress permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que manipulan configuraciones de plugins a través de vectores no especifica... • http://osvdb.org/92053 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-10003 – The Hackers Diet Plugin HTTP POST Request ajax_blurb.php sql injection
https://notcve.org/view.php?id=CVE-2007-10003
30 Apr 2007 — A vulnerability, which was classified as critical, has been found in The Hackers Diet Plugin up to 0.9.6b on WordPress. This issue affects some unknown processing of the file ajax_blurb.php of the component HTTP POST Request Handler. The manipulation of the argument user leads to sql injection. The attack may be initiated remotely. Upgrading to version 0.9.7b is able to address this issue. • https://github.com/wp-plugins/the-hackers-diet/commit/7dd8acf7cd8442609840037121074425d363b694 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2005-10002 – almosteffortless secure-files Plugin secure-files.php sf_downloads path traversal
https://notcve.org/view.php?id=CVE-2005-10002
03 Oct 2005 — A vulnerability, which was classified as critical, was found in almosteffortless secure-files Plugin up to 1.1 on WordPress. Affected is the function sf_downloads of the file secure-files.php. The manipulation of the argument downloadfile leads to path traversal. Upgrading to version 1.2 is able to address this issue. The name of the patch is cab025e5fc2bcdad8032d833ebc38e6bd2a13c92. • https://github.com/wp-plugins/secure-files/commit/cab025e5fc2bcdad8032d833ebc38e6bd2a13c92 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •