CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18490 – Contact Form Multi by BestWebSoft – Multiple Forms Plugin for Single WordPress Website < 1.2.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18490
The contact-form-multi plugin before 1.2.1 for WordPress has multiple XSS issues. El complemento contact-form-multi anterior de 1.2.1 para WordPress tiene múltiples problemas XSS. The Updater plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to 1.2.1 due to insufficient input sanitization and output escaping on the 'category' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser granted they can trick a victim into performing an action, such as clicking on a link. • https://wordpress.org/plugins/contact-form-multi/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18565 – Updater by BestWebSoft <= 1.34 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18565
The updater plugin before 1.35 for WordPress has multiple XSS issues. El plugin actualizador anterior a 1.35 para WordPress tiene múltiples problemas XSS. The Updater by BestWebSoft plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.34 due to insufficient input sanitization and output escaping on the 'category' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute in a victim's browser granted they can trick a victim into performing an action, such as clicking on a link. • https://wordpress.org/plugins/updater/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 2CVE-2017-20055 – BestWebSoft Contact Form Plugin Stored cross site scriting
https://notcve.org/view.php?id=CVE-2017-20055
A vulnerability classified as problematic has been found in BestWebSoft Contact Form Plugin 4.0.0. This affects an unknown part. The manipulation leads to basic cross site scripting (Stored). It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • http://seclists.org/fulldisclosure/2017/Feb/100 https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_contact_form_wordpress_plugin.html https://vuldb.com/?id.97389 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9325 – Visitors Online by BestWebSoft <= 0.3 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-9325
The visitors-online plugin before 0.4 for WordPress has SQL injection. El plugin visitors-online versiones anteriores a 0.4 para WordPress, presenta una inyección SQL. The Visitors Online by BestWebSoft plugin for WordPress is vulnerable to generic SQL Injection in versions up to, and including, 0.3 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://wordpress.org/plugins/visitors-online/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9335 – Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms < 1.1.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-9335
The limit-attempts plugin before 1.1.1 for WordPress has SQL injection during IP address handling. El plugin limit-attempts versiones anteriores a 1.1.1 para WordPress, presenta una inyección SQL durante el manejo de la dirección IP. • https://wordpress.org/plugins/limit-attempts/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •