CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2433 – WordPress Infinite Scroll – Ajax Load More <= 5.5.3 - Cross-Site Request Forgery to PHAR Deserialization
https://notcve.org/view.php?id=CVE-2022-2433
22 Aug 2022 — The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to deserialization of untrusted input via the 'alm_repeaters_export' parameter in versions up to, and including 5.5.3. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP ch... • https://plugins.trac.wordpress.org/changeset/2772627/ajax-load-more/trunk/admin/admin.php • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24334 – Instant Images WordPress Plugin < 4.4.0.1 - Authenticated Stored XSS & XFS
https://notcve.org/view.php?id=CVE-2021-24334
17 May 2021 — The Instant Images – One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue. El plugin de WordPress Instant Images - One Click Unsplash Uploads versiones anteriores a 4.4.0.1, no comprobaba ni saneababa correctamente la configuración de los parámetros unspla... • https://m0ze.ru/vulnerability/%5B2021-04-22%5D-%5BWordPress%5D-%5BCWE-79%5D-Instant-Images-WordPress-Plugin-v4.4.0.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24140 – Ajax Load More < 5.3.2 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24140
18 May 2020 — Unvalidated input in the Ajax Load More WordPress plugin, versions before 5.3.2, lead to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep(5)#&type=test. Una entrada no comprobada en el plugin Ajax Load More de WordPress, versiones anteriores a 5.3.2, conlleva a una inyección SQL en el archivo POST /wp-admin/admin-ajax.php con param repeater=' o sleep(5)#&type=test • https://wpscan.com/vulnerability/1876312e-3dba-4909-97a5-afbb76fbc056 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •