CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36346 – WordPress MaxButtons plugin <= 9.2 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-36346
02 Aug 2022 — Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Max Foundry MaxButtons plugin <= 9.2 at WordPress. Múltiples vulnerabilidades de tipo Cross-Site Request Forgery (CSRF) en el plugin Max Foundry MaxButtons versiones anteriores a 9.2 incluyéndola, en WordPress. The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 9.2. • https://patchstack.com/database/vulnerability/maxbuttons/wordpress-maxbuttons-plugins-9-2-multiple-cross-site-request-forgery-csrf-vulnerabilities • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2233 – Banner Cycler <= 1.4 - Cross-Site Request Forgery to Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2233
02 Aug 2022 — The Banner Cycler plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. ... This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link El plugin Banner Cycler para WordPress es vulnerable a la falsificación de peticiones cruzadas en versiones hasta 1.4 incluyéndola. • https://plugins.trac.wordpress.org/browser/banner-cycler/trunk/admin/admin.php#L131 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-33201 – WordPress MailerLite – Signup forms (official) plugin <= 1.5.7 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-33201
01 Aug 2022 — Cross-Site Request Forgery (CSRF) vulnerability in MailerLite – Signup forms (official) plugin <= 1.5.7 at WordPress allows an attacker to change the API key. Una vulnerabilidad de falsificación de tipo Cross-Site Request Forgery (CSRF) en el plugin MailerLite - Signup forms (official) versiones anteriores a 1.5.7 incluyéndola, en WordPress permite a un atacante cambiar la clave API The MailerLite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and in... • https://patchstack.com/database/vulnerability/official-mailerlite-sign-up-forms/wordpress-mailerlite-signup-forms-official-plugin-1-5-7-cross-site-request-forgery-csrf-vulnerability • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36379 – WordPress ЮKassa для WooCommerce plugin <= 2.3.0 - Cross-Site Request Forgery (CSRF) leading to plugin settings update
https://notcve.org/view.php?id=CVE-2022-36379
29 Jul 2022 — Cross-Site Request Forgery (CSRF) leading to plugin settings update in YooMoney ЮKassa для WooCommerce plugin <= 2.3.0 at WordPress. ... WooCommerce plugin versiones anteriores a 2.3.0 incluyéndola, en WordPress. The ЮKassa для WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.0. • https://patchstack.com/database/vulnerability/yookassa/wordpress-yukassa-dlya-woocommerce-plugin-2-3-0-cross-site-request-forgery-csrf-leading-to-plugin-settings-update • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2540 – Link Optimizer Lite <= 1.4.5 - Cross-Site Request Forgery to Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2540
26 Jul 2022 — The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. ... El plugin Link Optimizer Lite para WordPress es vulnerable a la falsificación de peticiones cruzadas a Cross-Site Scripting en versiones hasta 1.4.5 incluyéndola. • https://plugins.trac.wordpress.org/browser/link-optimizer-lite/1.4.5/admin.php#L20 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2541 – uContext for Amazon <= 3.9.1 - Cross-Site Request Forgery to Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2541
26 Jul 2022 — The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. ... El plugin uContext for Amazon para WordPress es vulnerable a un ataque Cross-Site Request Forgery a Cross-Site Scripting en versiones hasta 3.9.1 incluyéndola. • https://plugins.trac.wordpress.org/browser/ucontext-for-amazon/trunk/app/Ucontext4a_Ajax.php • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2542 – uContext for Clickbank <= 3.9.1 - Cross-Site Request Forgery to Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2542
26 Jul 2022 — The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. ... El plugin uContext for Clickbank para WordPress es vulnerable a un ataque de tipo Cross-Site Request Forgery a Cross-Site Scripting en versiones hasta 3.9.1 incluyéndola. • https://plugins.trac.wordpress.org/browser/ucontext/trunk/app/Ucontext_Ajax.php • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 46%CPEs: 1EXPL: 1CVE-2022-2314 – VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
https://notcve.org/view.php?id=CVE-2022-2314
22 Jul 2022 — The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site. El plugin VR Calendar WordPress a través de la versión 2.3.2 permite a cualquier usuario ejecutar funciones PHP arbitrarias en el sitio The VR Calendar plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.2.2 via the handleCommands() function that accepts user supplied input via the 'vrc_cmd' parameter that is passed to call_user_func(). • https://wpscan.com/vulnerability/b22fe77c-844e-4c24-8023-014441cc1e82 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2180 – GREYD.SUITE < 1.2.7 - Unauthenticated File Upload to RCE
https://notcve.org/view.php?id=CVE-2022-2180
21 Jul 2022 — The GREYD.SUITE WordPress theme does not properly validate uploaded custom font packages, and does not perform any authorization or csrf checks, allowing an unauthenticated attacker to upload arbitrary files including php source files, leading to possible remote code execution (RCE). El tema GREYD.SUITE de WordPress no comprueba apropiadamente los paquetes de fuentes personalizadas subidos, y no realiza ninguna comprobación de autorización o de tipo csrf, lo que permite a un atacante no autent... • https://wpscan.com/vulnerability/c330f92b-1e21-414f-b316-d5e97cb62bd1 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36425 – WordPress Beaver Builder plugin <= 2.5.4.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2022-36425
20 Jul 2022 — Broken Access Control vulnerability in Beaver Builder plugin <= 2.5.4.3 at WordPress. Una vulnerabilidad de Control de Acceso Roto en el plugin Beaver Builder versiones anteriores a 2.5.4.3 incluyéndola, en WordPress. The Beaver Builder plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the save_settings function in versions up to, and including, 2.5.4.3. • https://patchstack.com/database/vulnerability/beaver-builder-lite-version/wordpress-beaver-builder-plugin-2-5-4-3-broken-access-control-vulnerability/_s_id=cve • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •