CVE-2020-36705 – Adning Advertising <= 1.5.5 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2020-36705
07 Jul 2020 — The Adning Advertising plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the _ning_upload_image function in versions up to, and including, 1.5.5. • https://blog.nintechnet.com/critical-vulnerability-in-adning-advertising-plugin-actively-exploited-in-the-wild • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2020-36728 – Adning Advertising <= 1.5.5 - Unauthenticated Arbitrary File Deletion via Path Traversal
https://notcve.org/view.php?id=CVE-2020-36728
07 Jul 2020 — The Adning Advertising plugin for WordPress is vulnerable to file deletion via path traversal in versions up to, and including, 1.5.5. • https://blog.nintechnet.com/critical-vulnerability-in-adning-advertising-plugin-actively-exploited-in-the-wild • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-36713 – MStore API <= 2.1.5 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-36713
11 Mar 2020 — The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. • https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-mstore-api-plugin • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •
CVE-2020-36832 – Indeed Membership Pro 7.3 - 8.6 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-36832
06 Feb 2020 — The Ultimate Membership Pro plugin for WordPress is vulnerable to Authentication Bypass in versions between, and including, 7.3 to 8.6. • https://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253 • CWE-287: Improper Authentication •
CVE-2020-36724 – Wordable <= 3.1.1 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-36724
28 Jan 2020 — The Wordable plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.1. • https://blog.nintechnet.com/wordpress-plugins-and-themes-vulnerabilities-roundup • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •
CVE-2019-25150 – Email Templates <= 1.3 - HTML Injection
https://notcve.org/view.php?id=CVE-2019-25150
25 Oct 2019 — The Email Templates plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.3. • https://blog.nintechnet.com/multiple-wordpress-plugins-vulnerable-to-html-injection • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2019-16932 – Visualizer: Tables and Charts Manager for WordPress <= 3.3.0 - Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2019-16932
28 Sep 2019 — A blind SSRF vulnerability exists in the Visualizer plugin before 3.3.1 for WordPress via wp-json/visualizer/v1/upload-data. Se presenta una vulnerabilidad de SSRF ciega en el plugin Visualizer versiones anteriores a 3.3.1 para WordPress por medio del archivo wp-json/visualizer/v1/upload-data. • https://nathandavison.com/blog/wordpress-visualizer-plugin-xss-and-ssrf • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2019-25213 – Advanced Access Manager <= 5.9.8.1 - Unauthenticated Arbitrary File Read
https://notcve.org/view.php?id=CVE-2019-25213
09 Sep 2019 — The Advanced Access Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read in versions up to, and including, 5.9.8.1 due to insufficient validation on the aam-media parameter. • https://www.wordfence.com/threat-intel/vulnerabilities/id/55e0f0df-7be2-4e18-988c-2cc558768eff?source=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2019-14313 – Photo Gallery by 10Web <= 1.5.30 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-14313
26 Jul 2019 — A SQL injection vulnerability exists in the 10Web Photo Gallery plugin before 1.5.31 for WordPress. ... Se presenta una vulnerabilidad de inyección SQL en el plugin 10Web Photo Gallery anterior a versión 1.5.31 para WordPress. • https://wordpress.org/plugins/photo-gallery/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2019-14231 – Viral Quiz Maker - OnionBuzz < 1.2.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-14231
20 Jul 2019 — An issue was discovered in the Viral Quiz Maker - OnionBuzz plugin before 1.2.2 for WordPress. ... Se detectó un problema en el plugin OnionBuzz anterior a versión 1.2.2 de Viral Quiz Maker para WordPress. ... The Viral Quiz Maker - OnionBuzz plugin for WordPress is vulnerable to blind SQL Injection via the ‘ob_get_results' ajax nopriv handler in versions up to, and including, 1.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the exi... • http://www.openwall.com/lists/oss-security/2019/07/23/1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •