CVE-2018-18461 – Arigato Autoresponder and Newsletter <= 2.7 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2018-18461
The Arigato Autoresponder and Newsletter (aka bft-autoresponder) v2.5.1.7 plugin for WordPress allows remote attackers to execute arbitrary code via PHP code in attachments[] data to models/attachment.php. El plugin Arigato Autoresponder and Newsletter (también conocido como bft-autoresponder) v2.5.1.7 para WordPress permite que atacantes remotos ejecuten código arbitrario mediante código PHP en los datos attachments[] en models/attachment.php. The Arigato Autoresponder and Newsletter (aka bft-autoresponder) v2.5.1.7 plugin for WordPress allows remote attackers to execute arbitrary code via PHP code in attachments[] data to models/attachment.php.This plugin does not appear to be patched based on our review. • https://github.com/rakjong/vuln/blob/master/woedpress-Arigato%20Autoresponder_and_Newsletter-getshell.pdf https://wordpress.org/plugins/bft-autoresponder/#developers • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2018-1002005 – Arigato Autoresponder and Newsletter <= 2.5.1.8 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-1002005
These vulnerabilities require administrative privileges to exploit. There is an XSS vulnerability in bft_list.html.php:43: via the filter_signup_date parameter. Esta vulnerabilidad requiere privilegios de administrador para que se explote. Existe una vulnerabilidad Cross-Site Scripting (XSS) en bft_list.html.php:43: mediante el parámetro filter_signup_date. • https://www.exploit-db.com/exploits/45434 http://www.vapidlabs.com/advisory.php?v=203 https://wordpress.org/plugins/bft-autoresponder • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-1002008 – Arigato Autoresponder and Newsletter <= 2.5.1.8 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-1002008
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. There is an XSS vulnerability in list-user.html.php:4: via GET request offset variable. Existe una vulnerabilidad Cross-Site Scripting (XSS) reflejado en WordPress Arigato Autoresponder y Newsletter v2.5.1.8. Esta vulnerabilidad requiere privilegios de administrador para que se explote. Existe una vulnerabilidad Cross-Site Scripting (XSS) en list-user.html.php:4: mediante la variable offset de las peticiones GET. • https://www.exploit-db.com/exploits/45434 http://www.vapidlabs.com/advisory.php?v=203 https://wordpress.org/plugins/bft-autoresponder • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-1002001 – Arigato Autoresponder and Newsletter <= 2.5.1.8 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-1002001
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. Existe una vulnerabilidad Cross-Site Scripting (XSS) reflejado en WordPress Arigato Autoresponder y Newsletter v2.5.1.8. Esta vulnerabilidad requiere privilegios de administrador para que se explote. WordPress Arigato Autoresponder and Newsletter plugin version 2.5 suffers from cross site scripting and remote SQL injection vulnerabilities. • https://www.exploit-db.com/exploits/45434 http://www.vapidlabs.com/advisory.php?v=203 https://wordpress.org/plugins/bft-autoresponder • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-1002003 – Arigato Autoresponder and Newsletter <= 2.5.1.8 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-1002003
There is a reflected XSS vulnerability in WordPress Arigato Autoresponder and News letter v2.5.1.8 This vulnerability requires administrative privileges to exploit. Existe una vulnerabilidad Cross-Site Scripting (XSS) reflejado en WordPress Arigato Autoresponder y Newsletter v2.5.1.8. Esta vulnerabilidad requiere privilegios de administrador para que se explote. • https://www.exploit-db.com/exploits/45434 http://www.vapidlabs.com/advisory.php?v=203 https://wordpress.org/plugins/bft-autoresponder • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •