CVSS: 5.3EPSS: 1%CPEs: 24EXPL: 0CVE-2022-43504 – WordPress Core < 6.0.3 - Information Disclosure (Email Address)
https://notcve.org/view.php?id=CVE-2022-43504
18 Oct 2022 — Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7. Una vulnerabilidad de autenticación inadecuada en las versiones de WordPress anteriores a la 6.0.3 permite que un atacante remoto no autenticado obtenga la dirección de correo electrónico del usuario que publicó un blo... • https://jvn.jp/en/jp/JVN09409909/index.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication •
CVSS: 5.5EPSS: 1%CPEs: 1EXPL: 0CVE-2022-2944 – WordPress Countdown Widget <= 3.1.9.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2944
19 Sep 2022 — The WordPress Countdown Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 3.1.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45847 – WordPress Countdown Widget plugin <= 3.1.9.1 - Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-45847
06 Sep 2022 — Cross-Site Request Forgery (CSRF) vulnerability in WPAssist.Me WordPress Countdown Widget allows Cross-Site Scripting (XSS).This issue affects WordPress Countdown Widget: from n/a through 3.1.9.1. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en WPAssist.Me WordPress Countdown Widget permite cross-site scripting (XSS). Este problema afecta al widget de cuenta regresiva de WordPress: desde n/a hasta 3.1.9.1. The WordPress Countdown Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery... • https://patchstack.com/database/vulnerability/wordpress-countdown-widget/wordpress-countdown-widget-plugin-3-1-9-1-cross-site-request-forgery-csrf-leading-to-cross-site-scripting-xss?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.9EPSS: 20%CPEs: 2EXPL: 5CVE-2022-3590 – WP <= 6.1.1 - Unauthenticated Blind SSRF via DNS Rebinding
https://notcve.org/view.php?id=CVE-2022-3590
06 Sep 2022 — WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden. WordPress se ve afectado por blind SSRF no autenticado en la función de pingback. Debido a una condición de ejecución TOCTOU entre las comprobaciones de validación y la solicitud HTTP, los atacantes pueden llegar a hosts internos que están explícitamente prohibidos. WordPress Co... • https://github.com/hxlxmjxbbxs/CVE-2022-3590-WordPress-Vulnerability-Scanner • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.9EPSS: 0%CPEs: 25EXPL: 0CVE-2022-4973 – WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function
https://notcve.org/view.php?id=CVE-2022-4973
30 Aug 2022 — WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page. • https://www.wordfence.com/threat-intel/vulnerabilities/id/b5582e89-83e6-4898-b9fe-09eddeb5f7ae?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1591 – WordPress Ping Optimizer < 2.35.1.3.0 - Arbitrary Settings Update via CSRF
https://notcve.org/view.php?id=CVE-2022-1591
23 Aug 2022 — The WordPress Ping Optimizer WordPress plugin before 2.35.1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack El plugin Ping Optimizer de WordPress versiones anteriores a 2.35.1.3.0, no presenta una comprobación de tipo CSRF cuando es actualizada su configuración, lo que podría permitir a atacantes hacer que un administrador conectado los cambie por medio de un ataque de tipo CSRF The WordPress Ping Optimizer... • https://wpscan.com/vulnerability/b1a52c7e-3422-40dd-af5a-ea4c622a87aa • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29427 – WordPress Disable Right Click For WP plugin <= 1.1.6 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-29427
04 May 2022 — Cross-Site Request Forgery (CSRF) vulnerability in Aftab Muni's Disable Right Click For WP plugin <= 1.1.6 at WordPress. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin Disable Right Click For WP de Aftab Muni versiones anteriores a 1.1.6 incluyéndola, en WordPress • https://patchstack.com/database/vulnerability/disable-right-click-for-wp/wordpress-disable-right-click-for-wp-plugin-1-1-6-cross-site-request-forgery-csrf-vulnerability • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 5%CPEs: 1EXPL: 1CVE-2021-25111 – English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
https://notcve.org/view.php?id=CVE-2021-25111
08 Apr 2022 — The English WordPress Admin WordPress plugin before 1.5.2 does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue El plugin English WordPress Admin de WordPress versiones anteriores a 1.5.2, no comprueba el admin_custom_language_return_url antes de redirigir a usuarios en él, conllevando a un problema de redireccionamiento abierto The English WordPress Admin WordPress plugin before 1.5.2 does not validate the admin_custom_language_return_url be... • https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36833 – WordPress MC4WP plugin <= 4.8.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-36833
02 Mar 2022 — Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado y autenticado (rol de administrador o usuario superior) en el plugin MC4WP de ibericode versiones anteriores a 4.8.6 incluyéndola, en WordPress The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 4.8.... • https://patchstack.com/database/vulnerability/mailchimp-for-wp/wordpress-mc4wp-plugin-4-8-6-authenticated-stored-cross-site-scripting-xss-vulnerability • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 23%CPEs: 4EXPL: 0CVE-2022-21662 – Stored XSS in WordPress
https://notcve.org/view.php?id=CVE-2022-21662
06 Jan 2022 — WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. • https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •