CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30705 – WordPress WordPress Ping Optimizer Plugin <= 2.35.1.2.3 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-30705
Cross-Site Request Forgery (CSRF) vulnerability in Pankaj Jha WordPress Ping Optimizer plugin <= 2.35.1.2.3 versions. • https://patchstack.com/database/vulnerability/wordpress-ping-optimizer/wordpress-ping-optimizer-plugin-2-35-1-2-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0423 – WordPress Amazon S3 Plugin < 1.6 - Reflected XSS
https://notcve.org/view.php?id=CVE-2023-0423
The WordPress Amazon S3 Plugin WordPress plugin before 1.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The "WordPress Amazon S3 Plugin" plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/73d588d7-26ae-42e2-8282-aa02bcb109b6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28168 – WordPress Console <= 0.3.9 - Missing Authorization via reload.php
https://notcve.org/view.php?id=CVE-2023-28168
The WordPress Console plugin for WordPress is vulnerable to unauthorized modification of data and execution of files due to missing authorization in several files such as reload.php, complete.php, and query that is also missing direct file access controls in versions up to, and including, 0.3.9. This makes it possible for unauthenticated attackers to unset the '$_SESSION['console_vars']' and '$_SESSION['partial']' variables and potentially achieve remote code execution if they can successfully exploit the type juggling weakness in query.php. • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23887 – Easy Google Analytics for WordPress <= 1.6.0 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-23887
The Easy Google Analytics for WordPress plugin is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.0. This is due to missing or incorrect nonce validation in the 'ga_admin_set.php' file. This makes it possible for unauthenticated attackers to update the plugin's Google Analytics account and client ID options to arbitrary values including a stored Cross-Site Scripting payload granted they can trick a site administrator into performing an action such as clicking on a link. Additionally the 'ga_admin_set.php' can be accessed directly, and though it is not possible to update options by doing so, loading it via a separate LFI vulnerability would allow an attacker to update options as well. • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23806 – WordPress WordPress Custom Settings Plugin <= 1.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23806
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Davinder Singh Custom Settings plugin <= 1.0 versions. The WordPress Custom Settings plugin is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/custom-settings/wordpress-wordpress-custom-settings-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •