CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52209 – WordPress WPForms User Registration plugin <= 2.1.0 - Authenticated Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2023-52209
Improper Privilege Management vulnerability in WPForms, LLC. WPForms User Registration allows Privilege Escalation.This issue affects WPForms User Registration: from n/a through 2.1.0. The WPForms User Registration plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.1.0. This is due to a missing capability check when adding a role option to a form. This makes it possible for authenticated attackers, with contributor-level access and above, to create a form that allows them to register as a higher privileged user. • https://patchstack.com/database/vulnerability/wpforms-user-registration/wordpress-wpforms-user-registration-plugin-2-1-0-authenticated-privilege-escalation-vulnerability?_s_id=cve • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29820 – WordPress PDF Builder for WPForms plugin <= 1.2.88 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-29820
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RedNao PDF Builder for WPForms allows Stored XSS.This issue affects PDF Builder for WPForms: from n/a through 1.2.88. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Cross-site Scripting') en RedNao PDF Builder para WPForms permite XSS almacenado. Este problema afecta a PDF Builder para WPForms: desde n/a hasta 1.2.88. The PDF Builder for WPForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' variable in versions up to, and including, 1.2.88 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/pdf-builder-for-wpforms/wordpress-pdf-builder-for-wpforms-plugin-1-2-88-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-7063 – WPForms Pro 1.8.4 - 1.8.5.3 - Unauthenticated Stored Cross-Site Scripting via Form Submission
https://notcve.org/view.php?id=CVE-2023-7063
The WPForms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission parameters in all versions up to, and including, 1.8.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento WPForms Pro para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de parámetros de envío de formularios en todas las versiones hasta la 1.8.5.3 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. The WPForms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission parameters in all versions from 1.8.4 up to, and including, 1.8.5.3 due to insufficient input sanitization and output escaping. • https://wpforms.com/docs/how-to-view-recent-changes-to-the-wpforms-plugin-changelog/#1-8-5-4-2023-12-27 https://www.wordfence.com/threat-intel/vulnerabilities/id/31c080b8-ba00-4e96-8961-2a1c3a017004?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3213 – WP Mail SMTP Pro <= 3.8.0 - Missing Authorization to Information Dislcosure via is_print_page
https://notcve.org/view.php?id=CVE-2023-3213
The WP Mail SMTP Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_print_page function in versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to disclose potentially sensitive email information. El complemento WP Mail SMTP Pro para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de capability en la función is_print_page en versiones hasta la 3.8.0 incluida. Esto hace posible que atacantes no autenticados revelen información de correo electrónico potencialmente confidencial. • https://wpmailsmtp.com/docs/how-to-view-recent-changes-to-the-wp-mail-smtp-plugin-changelog https://www.wordfence.com/threat-intel/vulnerabilities/id/a813251b-a4c1-4b23-ad03-dcc1f4f19eb9?source=cve • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-30500 – WordPress WPForms plugins - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2023-30500
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPForms WPForms Lite (wpforms-lite), WPForms WPForms Pro (wpforms) plugins <= 1.8.1.2 versions. The Contact Form by WPForms (Free and Premium) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.8.1.2 due to insufficient input sanitization and output escaping on debug data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wpforms-lite/wordpress-wpforms-lite-plugin-1-8-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve https://patchstack.com/database/vulnerability/wpforms/wordpress-wpforms-pro-plugin-1-8-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •