CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0386 – weForms <= 1.6.21 - Unauthenticated Stored Cross-Site Scripting via Referer
https://notcve.org/view.php?id=CVE-2024-0386
12 Mar 2024 — The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Referer' HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento weForms para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del encabezado HTTP 'Referer' en todas las versio... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3047406%40weforms&new=3047406%40weforms&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24869 – WordPress Total Upkeep plugin <= 1.15.8 - Arbitrary File Download vulnerability
https://notcve.org/view.php?id=CVE-2024-24869
02 Feb 2024 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in BoldGrid Total Upkeep allows Relative Path Traversal.This issue affects Total Upkeep: from n/a through 1.15.8. La limitación incorrecta de un nombre de ruta a una vulnerabilidad de directorio restringido ("Path Traversal") en BoldGrid Total Upkeep permite el path traversal relativo. Este problema afecta a Total Upkeep: desde n/a hasta 1.15.8. The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by Bo... • https://patchstack.com/database/vulnerability/boldgrid-backup/wordpress-total-upkeep-plugin-1-15-8-arbitrary-file-download-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-285: Improper Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25480 – WordPress Post and Page Builder by BoldGrid – Visual Drag and Drop Editor Plugin <= 1.24.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-25480
22 Aug 2023 — Cross-Site Request Forgery (CSRF) vulnerability in BoldGrid Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin <= 1.24.1 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en BoldGrid Post y Page Builder por BoldGrid – complemento Visual Drag and Drop Editor en versiones <= 1.24.1. The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.24.1. This is due to missi... • https://patchstack.com/database/vulnerability/post-and-page-builder/wordpress-post-and-page-builder-by-boldgrid-plugin-1-24-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4932 – Total Upkeep <= 1.14.13 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure
https://notcve.org/view.php?id=CVE-2022-4932
24 Feb 2022 — The Total Upkeep plugin for WordPress is vulnerable to information disclosure in versions up to, and including 1.14.13. This is due to missing authorization on the heartbeat_received() function that triggers on WordPress heartbeat. This makes it possible for authenticated attackers, with subscriber-level permissions and above to retrieve back-up paths that can subsequently be used to download the back-up. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2684462%40boldgrid-backup&new=2684462%40boldgrid-backup&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24436 – W3 Total Cache < 2.1.4 - Reflected XSS in Extensions Page (Attribute Context)
https://notcve.org/view.php?id=CVE-2021-24436
28 Jun 2021 — The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise. El plugin W3 Total Cache WordPress versiones anteriores a 2.1.4, er... • https://wpscan.com/vulnerability/05988ebb-7378-4a3a-9d2d-30f8f58fe9ef • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24452 – W3 Total Cache < 2.1.5 - Reflected XSS in Extensions Page (JS Context)
https://notcve.org/view.php?id=CVE-2021-24452
28 Jun 2021 — The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (XSS) issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site c... • https://wpscan.com/vulnerability/3e855e09-056f-45b5-89a9-d644b7d8c9d0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24427 – W3 Total Cache < 2.1.3 - Authenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-24427
16 Jun 2021 — The W3 Total Cache WordPress plugin before 2.1.3 did not sanitise or escape some of its CDN settings, allowing high privilege users to use JavaScript in them, which will be output in the page, leading to an authenticated Stored Cross-Site Scripting issue El plugin de WordPress W3 Total Cache versiones anteriores a 2.1.3, no saneaba o escapaba de algunas de sus configuraciones de CDN, permitiendo a usuarios con altos privilegios usar JavaScript en ellas, que se emitirá en la página, conllevando a un problema... • https://m0ze.ru/vulnerability/%5B2021-04-25%5D-%5BWordPress%5D-%5BCWE-79%5D-W3-Total-Cache-WordPress-Plugin-v2.1.2.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-6079 – W3 Total Cache <= 0.9.2.4 - Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2012-6079
22 Nov 2019 — W3 Total Cache before 0.9.2.5 exposes sensitive cached database information which allows remote attackers to download this information via their hash keys. W3 Total Cache versiones anteriores a 0.9.2.5, expone información confidencial de la base de datos en la caché lo que permite a atacantes remotos descargar esta información por medio de sus claves de hash. • http://www.openwall.com/lists/oss-security/2012/12/30/3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2012-6078 – W3 Total Cache <= 0.9.2.4 - Insecure Cryptography to Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2012-6078
22 Nov 2019 — W3 Total Cache before 0.9.2.5 generates hash keys insecurely which allows remote attackers to predict the values of the hashes. W3 Total Cache versiones anteriores a 0.9.2.5, genera claves de hash de forma no segura, lo que permite a atacantes remotos predecir los valores de los hash. • http://www.openwall.com/lists/oss-security/2012/12/30/3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-6077 – W3 Total Cache <= 0.9.2.4 - Password Hash Extraction
https://notcve.org/view.php?id=CVE-2012-6077
22 Nov 2019 — W3 Total Cache before 0.9.2.5 allows remote attackers to retrieve password hash information due to insecure storage of database cache files. W3 Total Cache versiones anteriores a 0.9.2.5, permite a atacantes remotos recuperar información del hash de contraseña debido al almacenamiento no seguro de los archivos de caché de la base de datos. • http://www.openwall.com/lists/oss-security/2012/12/30/3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •