CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25111 – English WordPress Admin < 1.5.2 - Unauthenticated Open Redirect
https://notcve.org/view.php?id=CVE-2021-25111
The English WordPress Admin WordPress plugin before 1.5.2 does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue El plugin English WordPress Admin de WordPress versiones anteriores a 1.5.2, no comprueba el admin_custom_language_return_url antes de redirigir a usuarios en él, conllevando a un problema de redireccionamiento abierto The English WordPress Admin WordPress plugin before 1.5.2 does not validate the admin_custom_language_return_url before redirecting users to it, leading to an open redirect issue • https://wpscan.com/vulnerability/af548fab-96c2-4129-b609-e24aad0b1fc4 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36833 – WordPress MC4WP plugin <= 4.8.6 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-36833
Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado y autenticado (rol de administrador o usuario superior) en el plugin MC4WP de ibericode versiones anteriores a 4.8.6 incluyéndola, en WordPress The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 4.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/mailchimp-for-wp/wordpress-mc4wp-plugin-4-8-6-authenticated-stored-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/mailchimp-for-wp/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 1CVE-2022-21663 – Authenticated Object Injection in Multisites in WordPress
https://notcve.org/view.php?id=CVE-2022-21663
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. • https://blog.sonarsource.com/wordpress-object-injection-vulnerability https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3 https://wordpress.org/news/2022/01/wordpress-5-8-3-security- • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 8.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-21662 – Stored XSS in WordPress
https://notcve.org/view.php?id=CVE-2022-21662
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. • https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3 https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release https://www.debian.org/security/2022/dsa-5039 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-21664 – SQL injection in WordPress
https://notcve.org/view.php?id=CVE-2022-21664
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. • https://github.com/WordPress/wordpress-develop/commit/c09ccfbc547d75b392dbccc1ef0b4442ccd3c957 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86 https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3 https://wordpress.org/news/2022/01/wordpress-5&# • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •