CVE-2023-1895 – Getwid – Gutenberg Blocks <= 1.8.3 - Authenticated(Subscriber+) Server Side Request Forgery
https://notcve.org/view.php?id=CVE-2023-1895
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Server Side Request Forgery via the get_remote_content REST API endpoint in versions up to, and including, 1.8.3. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. WordPress Getwid Gutenberg Blocks plugin versions 1.8.3 and below suffer from improper authorization and server-side request forgery vulnerabilities. • https://plugins.trac.wordpress.org/browser/getwid/tags/1.8.3/includes/rest-api.php https://www.wordfence.com/threat-intel/vulnerabilities/id/e9c2a942-c14c-4b59-92a7-6946b2e4731b?source=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-1910 – Getwid – Gutenberg Blocks <= 1.8.3 - Improper Authorization via get_remote_templates REST endpoint
https://notcve.org/view.php?id=CVE-2023-1910
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the get_remote_templates function in versions up to, and including, 1.8.3. This makes it possible for authenticated attackers with subscriber-level permissions or above to flush the remote template cache. Cached template information can also be accessed via this endpoint but these are not considered sensitive as they are publicly accessible from the developer's site. WordPress Getwid Gutenberg Blocks plugin versions 1.8.3 and below suffer from improper authorization and server-side request forgery vulnerabilities. • https://plugins.trac.wordpress.org/browser/getwid/tags/1.8.3/includes/rest-api.php https://www.wordfence.com/threat-intel/vulnerabilities/id/6cd64ab0-007b-4778-9d92-06e530638fad?source=cve • CWE-285: Improper Authorization •
CVE-2023-28498 – WordPress Hotel Booking Lite Plugin <= 4.6.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-28498
Cross-Site Request Forgery (CSRF) vulnerability in MotoPress Hotel Booking Lite plugin <= 4.6.0 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento MotoPress Hotel Booking Lite en versiones <= 4.6.0. The Hotel Booking Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.6.0. This is due to missing or incorrect nonce validation on the 'render' and 'onLoad' functions. This makes it possible for unauthenticated attackers to update plugin settings like booking rules, tax, and fee information via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/motopress-hotel-booking-lite/wordpress-hotel-booking-lite-plugin-4-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-2844 – MotoPress Timetable and Event Schedule Calendar cross site scripting
https://notcve.org/view.php?id=CVE-2022-2844
A vulnerability classified as problematic has been found in MotoPress Timetable and Event Schedule up to 1.4.06. This affects an unknown part of the file /wp/?cpmvc_id=1&cpmvc_do_action=mvparse&f=datafeed&calid=1&month_index=1&method=adddetails&id=2 of the component Calendar Handler. The manipulation of the argument Subject/Location/Description leads to cross site scripting. It is possible to initiate the attack remotely. • https://vuldb.com/?id.206487 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-2843 – MotoPress Timetable and Event Schedule Quick Edit admin-ajax.php cross site scripting
https://notcve.org/view.php?id=CVE-2022-2843
A vulnerability was found in MotoPress Timetable and Event Schedule. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /wp-admin/admin-ajax.php of the component Quick Edit. The manipulation of the argument post_title with the input <img src=x onerror=alert`2`> leads to cross site scripting. The attack may be launched remotely. • https://vuldb.com/?id.206486 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •