CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 2CVE-2024-6386 – WPML Multilingual CMS <= 4.6.12 - Authenticated(Contributor+) Remote Code Execution via Twig Server-Side Template Injection
https://notcve.org/view.php?id=CVE-2024-6386
21 Aug 2024 — The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Inje... • https://github.com/realbotnet/CVE-2024-6386 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29431 – WordPress qTranslate X Cleanup and WPML Import plugin <= 3.0.1 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-29431
06 Apr 2023 — Missing Authorization vulnerability in OntheGoSystems qTranslate X Cleanup and WPML Import allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects qTranslate X Cleanup and WPML Import: from n/a through 3.0.1. The qTranslate X Cleanup and WPML Import plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clean_ajx function in versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, wi... • https://patchstack.com/database/wordpress/plugin/qtranslate-to-wpml-export/vulnerability/wordpress-qtranslate-x-cleanup-and-wpml-import-plugin-3-0-1-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38461 – WordPress WPML Multilingual CMS premium plugin <= 4.5.10 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2022-38461
09 Nov 2022 — Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with a subscriber or higher user role to change plugin settings (selected language for legacy widgets, the default behavior for media content). Vulnerabilidad de control de acceso roto en el complemento WPML Multilingual CMS premium en versiones <= 4.5.10 en WordPress permite a los usuarios con un suscriptor o un rol de usuario superior cambiar la configuración del complemento (idioma seleccion... • https://patchstack.com/database/vulnerability/sitepress-multilingual-cms/wordpress-wpml-multilingual-cms-plugin-4-5-10-broken-access-control-vulnerability?_s_id=cve • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38974 – WordPress WPML Multilingual CMS premium plugin <= 4.5.10 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2022-38974
09 Nov 2022 — Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with subscriber or higher user roles to change the status of the translation jobs. Vulnerabilidad de control de acceso roto en el complemento WPML Multilingual CMS premium en WordPress en versiones <= 4.5.10 permite a los usuarios con roles de suscriptor o de usuario superiores cambiar el estado de los trabajos de traducción. The WPML plugin for WordPress is vulnerable to missing authorization ... • https://patchstack.com/database/vulnerability/sitepress-multilingual-cms/wordpress-wpml-multilingual-cms-plugin-4-5-10-broken-access-control-vulnerability-2?_s_id=cve • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45071 – WordPress WPML Multilingual CMS premium plugin <= 4.5.13 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-45071
09 Nov 2022 — Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento WPML Multilingual CMS premium en WordPress en versiones <= 4.5.13. The WPML plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.13. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to change the ... • https://patchstack.com/database/vulnerability/sitepress-multilingual-cms/wordpress-wpml-multilingual-cms-premium-plugin-4-5-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45072 – WordPress WPML Multilingual CMS premium plugin <= 4.5.13 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-45072
09 Nov 2022 — Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento WPML Multilingual CMS premium en WordPress en versión <= 4.5.13. The WPML plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.13. This is due to missing or incorrect nonce validation on an unspecified function. This makes it possible for unauthenticated attackers to enact the... • https://patchstack.com/database/vulnerability/sitepress-multilingual-cms/wordpress-wpml-multilingual-cms-premium-plugin-4-5-13-cross-site-request-forgery-csrf-vulnerability-2?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18069 – WPML <= 3.6.3 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-18069
08 Oct 2018 — process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php request to wp-admin/admin.php. process_forms en el plugin WPML (también conocido como sitepress-multilingual-cms) hasta la versión 3.6.3 para WordPress tiene Cross-Site Scripting (XSS) mediante cualquier parámetro locale_file_name_ (como locale_file_name_en) en una petición theme-localization.php aut... • https://0x62626262.wordpress.com/2018/10/08/sitepress-multilingual-cms-plugin-unauthenticated-stored-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 5CVE-2015-2315 – WPML < 3.1.9 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-2315
11 Mar 2015 — Cross-site scripting (XSS) vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the target parameter in a reminder_popup action to the default URI. Vulnerabilidad XSS en el plugin WPML 3.1.9 de WordPress permite a atacantes remotos inyectar secuencias de comandos secuencias de comandos web arbitrarios o HTML a través del parámetro targer en la acción reminder_popup a la URI por defecto. • https://www.exploit-db.com/exploits/36414 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 4CVE-2015-2314 – WPML <= 3.1.9 - SQL Injection via lang Parameter
https://notcve.org/view.php?id=CVE-2015-2314
10 Mar 2015 — SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the lang parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed. Vulnerabilidad de inyección SQL en el plugin WPML anterior a 3.1.9 de WordPress permite a atacantes remotos ejecutar comandos arbitrarios SQL a través del parámetro lang en la cabecera Referer HTTP en la acción wp-link-ajax a comments/feed. SQL injection vulnerability in the WPML plugin... • https://www.exploit-db.com/exploits/36414 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 4CVE-2015-2791 – WPML <= 3.1.9 - Arbitrary Deletion of Content
https://notcve.org/view.php?id=CVE-2015-2791
10 Mar 2015 — The "menu sync" function in the WPML plugin before 3.1.9 for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php. La función 'menu sync' en el plugin WPML anterior a 3.1.9 para WordPress permite a atacantes remotos eliminar mensajes, páginas y menús arbitrarios a través de una solicitud manipulada a sitepress-multilingual-cms/menu/menus-sync.php. • https://www.exploit-db.com/exploits/36414 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •