CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4362 – Kiwi Social Sharing 2.1.0 - 2.1.2 - Arbitrary Options Change
https://notcve.org/view.php?id=CVE-2021-4362
04 Jun 2021 — The Kiwi Social Share plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the kiwi_social_share_get_option() function called via the kiwi_social_share_get_option AJAX action in version 2.1.0. This makes it possible for unauthenticated attackers to read and modify arbitrary options on a WordPress site that can be used for complete site takeover. • https://blog.nintechnet.com/wordpress-kiwi-social-sharing-plugin-fixed-critical-vulnerability • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 2CVE-2021-4434 – Social Warfare <= 3.5.2 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2021-4434
29 Apr 2021 — The Social Warfare plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.5.2 via the 'swp_url' parameter. ... El complemento Social Warfare para WordPress es vulnerable a la ejecución remota de código en versiones hasta la 3.5.2 inclusive a través del parámetro 'swp_url'. • https://packetstormsecurity.com/files/163680/WordPress-Social-Warfare-3.5.2-Remote-Code-Execution.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 24%CPEs: 1EXPL: 1CVE-2021-24215 – Controlled Admin Access < 1.5.2 - Improper Access Control & Privilege Escalation
https://notcve.org/view.php?id=CVE-2021-24215
23 Mar 2021 — An Improper Access Control vulnerability was discovered in the Controlled Admin Access WordPress plugin before 1.5.2. ... Se detectó una vulnerabilidad de Control de Acceso inapropiado en el plugin Controlled Admin Access WordPress versiones anteriores a 1.5.2. • https://m0ze.ru/vulnerability/%5B2021-03-18%5D-%5BWordPress%5D-%5BCWE-284%5D-Controlled-Admin-Access-WordPress-Plugin-v1.4.0.txt • CWE-284: Improper Access Control CWE-425: Direct Request ('Forced Browsing') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4349 – Process Steps Template Designer <= 1.2.1 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2021-4349
01 Mar 2021 — The Process Steps Template Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. • https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4401 – Style Kits <= 1.8.0 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4401
01 Mar 2021 — The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.0. ... El plugin Style Kits para WordPress es vulnerable a ataques de tipo Cross-Site Request Forgery (CSRF) en versiones hasta la 1.8.0 inlcusive. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4443 – WordPress Mega Menu <= 2.0.6 - Arbitrary File Creation
https://notcve.org/view.php?id=CVE-2021-4443
22 Feb 2021 — The WordPress Mega Menu plugin for WordPress is vulnerable to Arbitrary File Creation in versions up to, and including, 2.0.6 via the compiler_save AJAX action. • https://sh3llcon.org/la-debilidad-de-wordpress • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24148 – MStore API < 3.2.0 - Authentication Bypass With Sign In With Apple
https://notcve.org/view.php?id=CVE-2021-24148
02 Feb 2021 — A business logic issue in the MStore API WordPress plugin, versions before 3.2.0, had an authentication bypass with Sign In With Apple allowing unauthenticated users to recover an authentication cookie with only an email address. Un problema de lógica empresarial en el plugin de WordPress MStore API, versiones anteriores a 3.2.0, presentaba una omisión de autenticación con Sign In With Apple que permitía a usuarios no autenticados recuperar una cookie de autenticación con solo una dirección de... • https://wpscan.com/vulnerability/bf5ddc43-974d-41fa-8276-c1a27d3cc882 • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-26754 – wpDataTables (Premium) <= 3.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2021-26754
02 Feb 2021 — wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection. wpDataTables versiones anteriores a 3.4.1, maneja inapropiadamente una dirección de pedido para las tablas del lado del servidor, también se conoce como inyección SQL order[0][dir] de admin-ajax.php?action=get_wdtable wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection. Please... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-i • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4341 – uListing <= 1.6.6 - Unauthenticated Wordpress Options Changes via AJAX
https://notcve.org/view.php?id=CVE-2021-4341
28 Jan 2021 — The uListing plugin for WordPress is vulnerable to authorization bypass via Ajax due to missing capability checks, missing input validation, and a missing security nonce in the stm_update_email_data AJAX action in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4343 – uListing <= 1.6.6 - Unauthenticated Arbitrary Account Creation
https://notcve.org/view.php?id=CVE-2021-4343
28 Jan 2021 — The Unauthenticated Account Creation plugin for WordPress is vulnerable to Unauthenticated Account Creation in versions up to, and including, 1.6.6. • https://blog.nintechnet.com/wordpress-ulisting-plugin-fixed-multiple-critical-vulnerabilities • CWE-862: Missing Authorization •