CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45847 – WordPress Countdown Widget plugin <= 3.1.9.1 - Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-45847
Cross-Site Request Forgery (CSRF) vulnerability in WPAssist.Me WordPress Countdown Widget allows Cross-Site Scripting (XSS).This issue affects WordPress Countdown Widget: from n/a through 3.1.9.1. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en WPAssist.Me WordPress Countdown Widget permite cross-site scripting (XSS). Este problema afecta al widget de cuenta regresiva de WordPress: desde n/a hasta 3.1.9.1. The WordPress Countdown Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.9.1. This is due to missing or incorrect nonce validation on the admin_header function. • https://patchstack.com/database/vulnerability/wordpress-countdown-widget/wordpress-countdown-widget-plugin-3-1-9-1-cross-site-request-forgery-csrf-leading-to-cross-site-scripting-xss?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.9EPSS: 0%CPEs: 25EXPL: 0CVE-2022-4973 – WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meta(); function
https://notcve.org/view.php?id=CVE-2022-4973
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page. • https://www.wordfence.com/threat-intel/vulnerabilities/id/b5582e89-83e6-4898-b9fe-09eddeb5f7ae?source=cve https://core.trac.wordpress.org/changeset/53961 https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release https://www.wordfence.com/blog/2022/08/wordpress-core-6-0-2-security-maintenance-release-what-you-need-to-know • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1591 – WordPress Ping Optimizer < 2.35.1.3.0 - Arbitrary Settings Update via CSRF
https://notcve.org/view.php?id=CVE-2022-1591
The WordPress Ping Optimizer WordPress plugin before 2.35.1.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack El plugin Ping Optimizer de WordPress versiones anteriores a 2.35.1.3.0, no presenta una comprobación de tipo CSRF cuando es actualizada su configuración, lo que podría permitir a atacantes hacer que un administrador conectado los cambie por medio de un ataque de tipo CSRF The WordPress Ping Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.35.1.2.3. This is due to missing or incorrect nonce validation on the cbnetpoOptionsPg function. This makes it possible for unauthenticated attackers to update plugin settings, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2022-30705 appears to be a duplicate of this vulnerability. • https://wpscan.com/vulnerability/b1a52c7e-3422-40dd-af5a-ea4c622a87aa • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25111 – English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
https://notcve.org/view.php?id=CVE-2021-25111
The English WordPress Admin WordPress plugin before 1.5.2 does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue El plugin English WordPress Admin de WordPress versiones anteriores a 1.5.2, no comprueba el admin_custom_language_return_url antes de redirigir a usuarios en él, conllevando a un problema de redireccionamiento abierto The English WordPress Admin WordPress plugin before 1.5.2 does not validate the admin_custom_language_return_url before redirecting users to it, leading to an open redirect issue • https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36833 – WordPress MC4WP plugin <= 4.8.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-36833
Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado y autenticado (rol de administrador o usuario superior) en el plugin MC4WP de ibericode versiones anteriores a 4.8.6 incluyéndola, en WordPress The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 4.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/mailchimp-for-wp/wordpress-mc4wp-plugin-4-8-6-authenticated-stored-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/mailchimp-for-wp/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •