CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41692 – WordPress Appointment Hour Booking plugin <= 1.3.71 - Missing Authorization vulnerability
https://notcve.org/view.php?id=CVE-2022-41692
Missing Authorization vulnerability in Appointment Hour Booking plugin <= 1.3.71 on WordPress. Vulnerabilidad de autorización faltante en el complemento Appointment Hour Booking en WordPress en versiones <= 1.3.71. The Appointment Hour Booking plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the cpapphb_feedback function in versions up to, and including, 1.3.71. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to provide plugin feedback. • https://patchstack.com/database/vulnerability/appointment-hour-booking/wordpress-appointment-hour-booking-plugin-1-3-71-missing-authorization-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3427 – Corner Ad <= 1.0.56 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2022-3427
The Corner Ad plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.56. This is due to missing or incorrect nonce validation on its corner_ad_settings_page function. This makes it possible for unauthenticated attackers to trigger the deletion of ads via forged request granted they can trick a site administrator into performing an action such as clicking on a link. Corner Ad plugin for WordPress es vulnerable a la Cross-Site Request Forgery (CSRF) en versiones hasta la 1.0.56 inclusive. Esto se debe a una validación nonce faltante o incorrecta en su función corner_ad_settings_page. • https://plugins.trac.wordpress.org/browser/corner-ad/trunk/corner-ad.php?rev=2782613#L240 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2765630%40corner-ad%2Ftrunk&old=2719671%40corner-ad%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/0a6c5e9a-754f-41c8-b27b-caa133b5070f • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2022-2846 – Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Creation to Stored XSS
https://notcve.org/view.php?id=CVE-2022-2846
The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. El plugin de WordPress Calendar Event Multi View anterior a la versión 1.4.07 no dispone de comprobaciones de autorización y CSRF cuando se crea un evento, y también carece de sanitización así como de escapes en algunos de los campos del evento. Esto podría permitir a los atacantes no autentificados crear eventos arbitrarios y poner cargas útiles de Cross-Site Scripting en él The Calendar Event Multi View plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on event creation and deletion in versions up to, and including, 1.4.06 . This makes it possible for unauthenticated attackers to manipulate events. • https://www.exploit-db.com/exploits/51241 http://packetstormsecurity.com/files/171697/Calendar-Event-Multi-View-1.4.07-Cross-Site-Scripting.html https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2169 – Loading Page with Loading Screen < 1.0.83 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2169
The Loading Page with Loading Screen WordPress plugin before 1.0.83 does not escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Loading Page with Loading Screen de WordPress versiones anteriores a 1.0.83, no escapa de su configuración, permitiendo a usuarios con altos privilegios, como los administradores, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html no está permitida • https://wpscan.com/vulnerability/a9f4aab7-b42b-4bb6-b05d-05407f935230 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1710 – Appointment Hour Booking < 1.3.56 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1710
The Appointment Hour Booking WordPress plugin before 1.3.56 does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. El plugin Appointment Hour Booking para WordPress versiones anteriores a 1.3.56, no sanea y escapa de una configuración de sus campos de Calendario, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando el unfiltered_html no está permitido • https://wpscan.com/vulnerability/ed162ccc-88e6-41e8-b24d-1b9f77a038b6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •