CVSS: 10.0EPSS: 4%CPEs: 16EXPL: 2CVE-2020-36708 – Epsilon Framework Themes (Various Versions) - Function Injection
https://notcve.org/view.php?id=CVE-2020-36708
01 Oct 2020 — The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. • https://blog.nintechnet.com/unauthenticated-function-injection-vulnerability-fixed-in-15-wordpress-themes • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2020-36706 – Simple:Press – WordPress Forum Plugin <= 6.6.0 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2020-36706
25 Sep 2020 — The Simple:Press – WordPress Forum Plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ~/admin/resources/jscript/ajaxupload/sf-uploader.php file in versions up to, and including, 6.6.0. ... The Simple:Press – WordPress Forum Plugin para WordPress es vulnerable a cargas de archivos arbitrarias debido a la falta de validación del tipo de archivo en el archivo ~/admin/resources/jscript/ajaxupload/sf-uploader.php en versiones hasta ... • https://blog.nintechnet.com/wordpress-simplepress-plugin-fixed-critical-vulnerabilities • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36707 – Coming Soon & Maintenance Mode Page <= 1.57 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2020-36707
16 Sep 2020 — The Coming Soon & Maintenance Mode Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.57. • https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-coming-soon-maintenance-mode-page-cross-site-request-forgery-1-57 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36740 – Radio Buttons for Taxonomies <= 2.0.5 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36740
16 Sep 2020 — The Radio Buttons for Taxonomies plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.5. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36745 – WP Project Manager <= 2.4.0 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36745
16 Sep 2020 — The WP Project Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.0. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 97%CPEs: 1EXPL: 15CVE-2020-25213 – WordPress File Manager Plugin Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-25213
01 Sep 2020 — The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. ... El complemento File Manager (wp-file-manager) versiones anteriores a 6.9 para WordPress, permite a atacantes remotos cargar y ejecutar código PHP arbitrario porque cambia el nombre de un archivo de conector elFinder de ejemplo no seguro para que tenga la extensión .php. • https://github.com/0000000O0Oo/Wordpress-CVE-2020-25213 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 97%CPEs: 1EXPL: 10CVE-2020-24186 – Comments - wpDiscuz 7.0 - 7.0.4 - Unauthenticated Arbitrary File Upload leading to Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-24186
24 Aug 2020 — A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action. Se presenta una vulnerabilidad de ejecución de código remota en el plugin gVectors wpDiscuz versiones 7.0 hasta 7.0.4 para WordPress, que permite a usuarios no autenticados cargar cualquier tipo de archivo, incluyendo archivos PHP por medio de la acción wmuUploadFiles ... • http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36717 – Kali Forms <= 2.1.1 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2020-36717
21 Aug 2020 — The Kali Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. • https://blog.nintechnet.com/wordpress-kali-forms-plugin-fixed-multiple-vulnerabilities • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 2CVE-2020-35949 – Quiz and Survey Master <= 7.0.0 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2020-35949
03 Aug 2020 — An issue was discovered in the Quiz and Survey Master plugin before 7.0.1 for WordPress. ... Se detectó un problema en el plugin Quiz and Survey Master versiones anteriores a 7.0.1 para WordPress. • https://wpscan.com/vulnerability/10349 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36669 – JetBackup – WP Backup, Migrate & Restore <= 1.3.9 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2020-36669
16 Jul 2020 — The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.3.9. • https://plugins.trac.wordpress.org/changeset/2341420 • CWE-352: Cross-Site Request Forgery (CSRF) •