CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45823 – WordPress Video Contest WordPress Plugin Plugin <= 3.2 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-45823
Cross-Site Request Forgery (CSRF) vulnerability in GalleryPlugins Video Contest WordPress plugin <= 3.2 versions. The Video Contest WordPress Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to perform unauthorized actions on behalf of a site's administrator via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/video-contest/wordpress-video-contest-wordpress-plugin-plugin-3-2-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47174 – WordPress Performance Lab Plugin <= 2.2.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47174
Cross-Site Request Forgery (CSRF) vulnerability in WordPress Performance Team Performance Lab plugin <= 2.2.0 versions. The Performance Lab plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the dismiss-wp-pointer AJAX action. This makes it possible for unauthenticated attackers to dismiss new feature pointers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/performance-lab/wordpress-performance-lab-plugin-2-2-0-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 22EXPL: 0CVE-2023-2745 – WordPress Core < 6.2.1 - Directory Traversal
https://notcve.org/view.php?id=CVE-2023-2745
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. WordPress Core versions 6.2 and below suffer from cross site request forgery, persistent cross site scripting, shortcode execution, insufficient sanitization, and directory traversal vulnerabilities. • http://packetstormsecurity.com/files/172426/WordPress-Core-6.2-XSS-CSRF-Directory-Traversal.html https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=55765%40%2F&new=55765%40%2F&sfp_email=&sfph_mail= https://lists.debian.org/debian-lts-announce/2023/06/msg00024.html https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release https://www.wordfence.com/threat-intel/vulnerabilities/id/edcf46b6-368e-49c0-b2c3-99bf6e2d358f?source=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28775 – WordPress Yoast SEO Premium plugin <= 20.4 - Unauthenticated Zapier API Key Reset vulnerability
https://notcve.org/view.php?id=CVE-2023-28775
Missing Authorization vulnerability in Yoast Yoast SEO Premium.This issue affects Yoast SEO Premium: from n/a through 20.4. Vulnerabilidad de autorización faltante en Yoast Yoast SEO Premium. Este problema afecta a Yoast SEO Premium: desde n/a hasta 20.4. The Yoast SEO Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in versions up to, and including, 20.4. This makes it possible for unauthenticated attackers to disconnect a Zapier API Key. • https://patchstack.com/database/vulnerability/wordpress-seo-premium/wordpress-yoast-seo-premium-plugin-20-4-unauthenticated-zapier-api-key-reset-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47161 – WordPress Health Check & Troubleshooting Plugin <= 1.5.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47161
Cross-Site Request Forgery (CSRF) vulnerability in The WordPress.Org community Health Check & Troubleshooting plugin <= 1.5.1 versions. The Health Check & Troubleshooting plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on the health_check_troubleshoot_get_captures function. This makes it possible for unauthenticated attackers to enable or disable plugins and themes, dismiss notices, or disable troubleshooting mode when the site is in troubleshooting mode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/health-check/wordpress-health-check-troubleshooting-plugin-1-5-1-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •