CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13125 – Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
https://notcve.org/view.php?id=CVE-2020-13125
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled. Se detectó un problema en el plugin "Ultimate Addons for Elementor" versiones anteriores a 1.24.2 para WordPress, como se explotó "in the wild" en Mayo de 2020, en conjunto con CVE-2020-13126. Los atacantes no autenticados pueden crear usuarios con el rol Subscriber incluso si el registro está deshabilitado. • https://wpvulndb.com/vulnerabilities/10214 https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk • CWE-286: Incorrect User Management •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36702 – Spectra – WordPress Gutenberg Blocks <= 1.14.7 - Missing Authorization
https://notcve.org/view.php?id=CVE-2020-36702
The Ultimate Addons for Gutenberg plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 1.14.7. This is due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber+ roles to update the plugin's settings. • https://blog.nintechnet.com/wordpress-ultimate-addons-for-gutenberg-plugin-fixed-vulnerability https://www.wordfence.com/threat-intel/vulnerabilities/id/4419a302-4305-44f8-a256-dd276b5cd751?source=cve • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20977 – Schema - All In One Schema Rich Snippets <= 1.4.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-20977
The all-in-one-schemaorg-rich-snippets plugin before 1.5.0 for WordPress has XSS on the settings page. El pluginall-in-one-schemaorg-rich-snippets anterior a la versión 1.5.0 para WordPress tiene XSS en la página de configuración. • https://wordpress.org/plugins/all-in-one-schemaorg-rich-snippets/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •