CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9874 – WordPress Poll Maker Plugin <= 5.4.6 - Authenticated (Administrator+) Time-Based SQL Injection
https://notcve.org/view.php?id=CVE-2024-9874
08 Nov 2024 — The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive... • https://packetstormsecurity.com/files/179500/WordPress-Poll-Maker-5.3.2-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9462 – Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 5.4.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Poll Settings
https://notcve.org/view.php?id=CVE-2024-9462
25 Oct 2024 — The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Stored Cross-Site Scripting via poll settings in all versions up to, and including, 5.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations w... • https://plugins.trac.wordpress.org/browser/poll-maker/tags/5.4.6/includes/lists/class-poll-maker-polls-list-table.php#L244 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9475 – Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 5.4.6 - Authenticated (Administrator+) SQL Injection via Order_by Parameter
https://notcve.org/view.php?id=CVE-2024-9475
25 Oct 2024 — The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the order_by parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitiv... • https://plugins.trac.wordpress.org/browser/poll-maker/tags/5.4.5/includes/lists/class-poll-maker-each-results-poll-list-table.php#L56 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8488 – Survey Maker – Customer Satisfaction Questionnaire, Chat Survey, Calculation Form, Payment Forms <= 4.9.7 - Authenticated (Admin+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-8488
07 Oct 2024 — The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Survey fields in all versions up to, and including, 4.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://www.wordfence.com/threat-intel/vulnerabilities/id/5e04edb6-ef37-4ea8-a734-dbdcf689ba9b?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 84%CPEs: 1EXPL: 1CVE-2024-6028 – Quiz Maker <= 6.5.8.3 - Unauthenticated SQL Injection via 'ays_questions' Parameter
https://notcve.org/view.php?id=CVE-2024-6028
24 Jun 2024 — The Quiz Maker plugin for WordPress is vulnerable to time-based SQL Injection via the 'ays_questions' parameter in all versions up to, and including, 6.5.8.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. El complemento Quiz Maker para WordPress es vul... • https://github.com/truonghuuphuc/CVE-2024-6028-Poc • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 0CVE-2024-3897 – Popup Box – Best WordPress Popup Plugin <= 4.3.6 - Missing Authorization to Information Exposure
https://notcve.org/view.php?id=CVE-2024-3897
24 Apr 2024 — The Popup Box – Best WordPress Popup Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_pb_create_author AJAX action in all versions up to, and including, 4.3.6. This makes it possible for unauthenticated attackers to enumerate all emails registered on the website. El complemento Popup Box – Best WordPress Popup Plugin para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de capacidad en la acció... • https://plugins.trac.wordpress.org/changeset/3073593/ays-popup-box/tags/4.3.7/admin/class-ays-pb-admin.php?old=3072088&old_path=ays-popup-box%2Ftags%2F4.3.6%2Fadmin%2Fclass-ays-pb-admin.php • CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3600 – Poll Maker – Best WordPress Poll Plugin <= 5.1.8 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-3600
18 Apr 2024 — The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start AJAX action in addition to insufficient escaping and sanitization in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to create quizzes and inject malicious web scripts into them that execute when a user visits the page. El complemento Poll Maker – Best WordPress Poll Plugin para WordPre... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3601 – Poll Maker – Best WordPress Poll Plugin <= 5.1.8 - Missing Authorization to Unauthenticated Email Enumeration
https://notcve.org/view.php?id=CVE-2024-3601
18 Apr 2024 — The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_poll_create_author function in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to extract email addresses by enumerating them one character at a time. El complemento Poll Maker – Best WordPress Poll Plugin para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de c... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3071296%40poll-maker&new=3071296%40poll-maker&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35764 – Survey Maker <= 4.0.9 - IP Address Spoofing
https://notcve.org/view.php?id=CVE-2023-35764
03 Apr 2024 — Insufficient verification of data authenticity issue in Survey Maker prior to 3.6.4 allows a remote unauthenticated attacker to spoof an IP address when posting. El problema de verificación insuficiente de la autenticidad de los datos en Survey Maker antes de la versión 3.6.4 permite que un atacante remoto no autenticado falsifique una dirección IP al publicar. The Survey Maker – Best WordPress Survey Plugin plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 4.0.... • https://jvn.jp/en/jp/JVN51098626 • CWE-345: Insufficient Verification of Data Authenticity CWE-348: Use of Less Trusted Source •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34423 – Survey Maker – Best WordPress Survey Plugin <= 3.6.6 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-34423
03 Apr 2024 — Survey Maker prior to 3.6.4 contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product with the administrative privilege. Survey Maker anterior a 3.6.4 contiene una vulnerabilidad de Cross Site Scripting almacenadas. Si se explota esta vulnerabilidad, se puede ejecutar un script arbitrario en el navegador web del usuario que inicia sesión en el sitio web utiliz... • https://jvn.jp/en/jp/JVN51098626 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •