CVE-2019-13569 – Email Subscribers & Newsletters <= 4.1.7 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-13569
19 Jul 2019 — A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. ... Se presenta una vulnerabilidad de inyección SQL en el plugin Email Subscribers & Newsletters hasta versión 4.1.7 de Icegram para WordPress. • https://wordpress.org/plugins/email-subscribers/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2019-13573 – FV Flowplayer Video Player <= 7.3.18.727 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-13573
11 Jul 2019 — A SQL injection vulnerability exists in the FolioVision FV Flowplayer Video Player plugin before 7.3.19.727 for WordPress. ... Existe una vulnerabilidad de inyección SQL en el plugin FolioVision FV Flowplayer Video Player en versiones anteriores a la 7.3.19.727 para WordPress. • https://plugins.trac.wordpress.org/changeset/2121566/fv-wordpress-flowplayer/trunk/models/db.php • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2019-25138 – User Submitted Posts <= 20190312 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2019-25138
02 May 2019 — The User Submitted Posts plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the usp_check_images function in versions up to, and including, 20190312. • https://blog.nintechnet.com/arbitrary-file-upload-vulnerability-in-wordpress-user-submitted-posts-plugin • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2019-25141 – Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2019-25141
17 Mar 2019 — The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. • https://blog.nintechnet.com/critical-0day-vulnerability-fixed-in-wordpress-easy-wp-smtp-plugin • CWE-862: Missing Authorization •
CVE-2019-25217 – SiteGround Optimizer <= 5.0.12 - Missing Authorization
https://notcve.org/view.php?id=CVE-2019-25217
14 Mar 2019 — The SiteGround Optimizer plugin for WordPress is vulnerable to authorization bypass leading to Remote Code Execution and Local File Inclusion in versions up to, and including, 5.0.12 due to incorrect use of an access control attribute on the switch_php function called via the /switch-php REST API route. • https://www.wordfence.com/threat-intel/vulnerabilities/id/657f3bd7-2cdc-4eb6-ba50-7c7fca468df0?source=cve • CWE-862: Missing Authorization •
CVE-2024-51792 – WordPress Audio Record plugin <= 1.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-51792
07 Jan 2019 — The Audio Record plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_record_callback function in versions up to, and including, 1.0. • https://patchstack.com/database/vulnerability/audio-record/wordpress-audio-record-plugin-1-0-arbitrary-file-upload-vulnerability-2? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2018-25105 – File Manager <= 3.0 - Unauthenticated Arbitrary File Upload/Download
https://notcve.org/view.php?id=CVE-2018-25105
17 Sep 2018 — The File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the /inc/root.php file in versions up to, and including, 3.0. • https://www.wordfence.com/threat-intel/vulnerabilities/id/a56d5a2f-ae13-4523-bc4a-17bb2fb4c6f0?source=cve • CWE-862: Missing Authorization •
CVE-2018-6213
https://notcve.org/view.php?id=CVE-2018-6213
20 Jun 2018 — In the web server on D-Link DIR-620 devices with a certain customized (by ISP) variant of firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0, and 2.0.22, there is a hardcoded password of anonymous for the admin account. En el servidor web de los dispositivos D-Link DIR-620 con una determinada variante personalizada (por proveedor de Internet) del firmware 1.0.3, 1.0.37, 1.3.1, 1.3.3, 1.3.7, 1.4.0 y 2.0.22, hay una contraseña embebida "anonymous" para la cuenta de administrador. • https://securityaffairs.co/wordpress/72839/hacking/d-link-dir-620-flaws.html • CWE-798: Use of Hard-coded Credentials •
CVE-2016-15004 – InfiniteWP Client Plugin injection
https://notcve.org/view.php?id=CVE-2016-15004
25 Jan 2017 — Es recomendado actualizar el componente afectado The InfiniteWP Client plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.6.0 via deserialization of untrusted input. • http://seclists.org/fulldisclosure/2017/Jan/72 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •
CVE-2016-10927 – Nelio AB Testing < 4.5.11 - Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2016-10927
29 Dec 2016 — The nelio-ab-testing plugin before 4.5.11 for WordPress has SSRF in ajax/iesupport.php. El plugin nelio-ab-testing anterior de la versión 4.5.11 para WordPress tiene SSRF en ajax / iesupport.php. • https://wordpress.org/plugins/nelio-ab-testing/#developers • CWE-918: Server-Side Request Forgery (SSRF) •