CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1478 – Hummingbird < 3.4.2 - Unauthenticated Path Traversal
https://notcve.org/view.php?id=CVE-2023-1478
The Hummingbird WordPress plugin before 3.4.2 does not validate the generated file path for page cache files before writing them, leading to a path traversal vulnerability in the page cache module. The Hummingbird plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 3.4.1 via the page cache module, which doesn't validate file paths prior to saving them. This makes it possible for unauthenticated attackers to enumerate file directories, crash to server by sending cache files to an arbitrary location, and write cache files to arbitrary locations that may deny access to some resources. • https://wpscan.com/vulnerability/512a9ba4-01c0-4614-a991-efdc7fe51abe • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0994 – Hummingbird < 3.3.2 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0994
The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed El plugin Hummingbird de WordPress versiones anteriores a 3.3.2, no sanea ni escapa del nombre de configuración, lo que podría permitir a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html no está permitida WordPress Hummingbird plugin versions prior to 3.3.2 suffers from a persistent cross site scripting vulnerability. • https://wpscan.com/vulnerability/e9dd62fc-bb79-4a6b-b99c-60e40f010d7a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24700 – Forminator < 1.15.4 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24700
The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed El plugin Forminator de WordPress versiones anteriores a 1.15.4, no sanea y escapa de la etiqueta del campo email, que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando el unfiltered_html está deshabilitado • https://wpscan.com/vulnerability/1d489b05-296e-4268-8082-9737608f9b41 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36821 – WordPress Forminator plugin <= 1.14.11 - Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-36821
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV Forminator – Contact Form, Payment Form & Custom Form Builder allows Stored XSS.This issue affects Forminator – Contact Form, Payment Form & Custom Form Builder: from n/a through 1.14.11. Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPMU DEV Forminator allows Stored XSS.This issue affects Forminator: from n/a through 1.14.11. The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.14.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/forminator/wordpress-forminator-plugin-1-14-11-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4417 – Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.13.4 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4417
The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El plugin The Forminator – Contact Form, Payment Form & Custom Form Builder para WordPress es vulnerable a ataques de tipo Cross-Site Request Forgery en versiones hasta la 1.13.4 inclusive. Esto es debido a la falta o incorrecta validación nonce en la función "listen_for_saving_export_schedule()". • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •