CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36747 – Lightweight Sidebar Manager <= 1.1.4 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36747
The Lightweight Sidebar Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.4. This is due to missing or incorrect nonce validation on the metabox_save() function. This makes it possible for unauthenticated attackers to save metbox data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36737 – Import / Export Customizer Settings <= 1.0.3 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36737
The Import / Export Customizer Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the astra_admin_errors() function. This makes it possible for unauthenticated attackers to display an import status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13125 – Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
https://notcve.org/view.php?id=CVE-2020-13125
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled. Se detectó un problema en el plugin "Ultimate Addons for Elementor" versiones anteriores a 1.24.2 para WordPress, como se explotó "in the wild" en Mayo de 2020, en conjunto con CVE-2020-13126. Los atacantes no autenticados pueden crear usuarios con el rol Subscriber incluso si el registro está deshabilitado. • https://wpvulndb.com/vulnerabilities/10214 https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk • CWE-286: Incorrect User Management •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36702 – Spectra – WordPress Gutenberg Blocks <= 1.14.7 - Missing Authorization
https://notcve.org/view.php?id=CVE-2020-36702
The Ultimate Addons for Gutenberg plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 1.14.7. This is due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber+ roles to update the plugin's settings. • https://blog.nintechnet.com/wordpress-ultimate-addons-for-gutenberg-plugin-fixed-vulnerability https://www.wordfence.com/threat-intel/vulnerabilities/id/4419a302-4305-44f8-a256-dd276b5cd751?source=cve • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20977 – Schema - All In One Schema Rich Snippets <= 1.4.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-20977
The all-in-one-schemaorg-rich-snippets plugin before 1.5.0 for WordPress has XSS on the settings page. El pluginall-in-one-schemaorg-rich-snippets anterior a la versión 1.5.0 para WordPress tiene XSS en la página de configuración. • https://wordpress.org/plugins/all-in-one-schemaorg-rich-snippets/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •