CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28775 – WordPress Yoast SEO Premium plugin <= 20.4 - Unauthenticated Zapier API Key Reset vulnerability
https://notcve.org/view.php?id=CVE-2023-28775
Missing Authorization vulnerability in Yoast Yoast SEO Premium.This issue affects Yoast SEO Premium: from n/a through 20.4. Vulnerabilidad de autorización faltante en Yoast Yoast SEO Premium. Este problema afecta a Yoast SEO Premium: desde n/a hasta 20.4. The Yoast SEO Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in versions up to, and including, 20.4. This makes it possible for unauthenticated attackers to disconnect a Zapier API Key. • https://patchstack.com/database/vulnerability/wordpress-seo-premium/wordpress-yoast-seo-premium-plugin-20-4-unauthenticated-zapier-api-key-reset-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47161 – WordPress Health Check & Troubleshooting Plugin <= 1.5.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47161
Cross-Site Request Forgery (CSRF) vulnerability in The WordPress.Org community Health Check & Troubleshooting plugin <= 1.5.1 versions. The Health Check & Troubleshooting plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on the health_check_troubleshoot_get_captures function. This makes it possible for unauthenticated attackers to enable or disable plugins and themes, dismiss notices, or disable troubleshooting mode when the site is in troubleshooting mode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/health-check/wordpress-health-check-troubleshooting-plugin-1-5-1-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30705 – WordPress WordPress Ping Optimizer Plugin <= 2.35.1.2.3 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-30705
Cross-Site Request Forgery (CSRF) vulnerability in Pankaj Jha WordPress Ping Optimizer plugin <= 2.35.1.2.3 versions. • https://patchstack.com/database/vulnerability/wordpress-ping-optimizer/wordpress-ping-optimizer-plugin-2-35-1-2-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0423 – WordPress Amazon S3 Plugin < 1.6 - Reflected XSS
https://notcve.org/view.php?id=CVE-2023-0423
The WordPress Amazon S3 Plugin WordPress plugin before 1.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The "WordPress Amazon S3 Plugin" plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/73d588d7-26ae-42e2-8282-aa02bcb109b6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28168 – WordPress Console <= 0.3.9 - Missing Authorization via reload.php
https://notcve.org/view.php?id=CVE-2023-28168
The WordPress Console plugin for WordPress is vulnerable to unauthorized modification of data and execution of files due to missing authorization in several files such as reload.php, complete.php, and query that is also missing direct file access controls in versions up to, and including, 0.3.9. This makes it possible for unauthenticated attackers to unset the '$_SESSION['console_vars']' and '$_SESSION['partial']' variables and potentially achieve remote code execution if they can successfully exploit the type juggling weakness in query.php. • CWE-862: Missing Authorization •