CVE-2023-4773 – WordPress Social Login <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2023-4773
The WordPress Social Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wordpress_social_login_meta' shortcode in versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El plugin WordPress Social Login para WordPress es vulnerable a Cross-Site Scripting (XSS) almacenado a través del shortcode "wordpress_social_login_meta" en versiones hasta, e incluyendo, la 3.0.4 debido a la insuficiente sanitización de entrada y escape de salida en los atributos suministrados por el usuario. Esto hace posible que atacantes autenticados con permisos de nivel de colaborador y superiores inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/wordpress-social-login/tags/3.0.4/includes/widgets/wsl.auth.widgets.php#L413 https://www.wordfence.com/threat-intel/vulnerabilities/id/b987822d-2b1b-4f79-988b-4bd731864b63?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-38383 – Language <= 1.2.1 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-38383
The Language plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions. • CWE-862: Missing Authorization •
CVE-2023-35098 – WordPress NextGen GalleryView Plugin <= 0.5.5 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-35098
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in John Brien WordPress NextGen GalleryView plugin <= 0.5.5 versions. The NextGen GalleryView plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 0.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wordpress-nextgen-galleryview/wordpress-wordpress-nextgen-galleryview-plugin-0-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-34185 – WordPress NextGen GalleryView Plugin <= 0.5.5 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-34185
Cross-Site Request Forgery (CSRF) vulnerability in John Brien WordPress NextGen GalleryView plugin <= 0.5.5 versions. The NextGen GalleryView plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.5.5. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wordpress-nextgen-galleryview/wordpress-wordpress-nextgen-galleryview-plugin-0-5-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-34029 – WordPress Disable WordPress Update Notifications Plugin <= 2.3.3 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-34029
Cross-Site Request Forgery (CSRF) vulnerability in Prem Tiwari Disable WordPress Update Notifications and auto-update Email Notifications plugin <= 2.3.3 versions. The Disable WordPress Update Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.3. This is due to missing or incorrect nonce validation on the dwnSettings() function. This makes it possible for unauthenticated attackers to modify the plugin's settings, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/disable-update-notifications/wordpress-disable-wordpress-update-notifications-and-auto-update-email-notifications-plugin-2-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •