CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33944 – WordPress WooCommerce AWeber Newsletter Subscription plugin <= 4.0.2 - Unauthenticated Access Token Change/Reset vulnerability
https://notcve.org/view.php?id=CVE-2024-33944
Missing Authorization vulnerability in Kestrel WooCommerce AWeber Newsletter Subscription.This issue affects WooCommerce AWeber Newsletter Subscription: from n/a through 4.0.2. Vulnerabilidad de autorización faltante en Kestrel WooCommerce AWeber Newsletter Subscription. Este problema afecta la suscripción al boletín WooCommerce AWeber: desde n/a hasta 4.0.2. The WooCommerce AWeber Newsletter Subscription plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to reset and change the plugin's access token. • https://patchstack.com/database/vulnerability/woocommerce-aweber-newsletter-subscription/wordpress-woocommerce-aweber-newsletter-subscription-plugin-4-0-1-unauthenticated-access-token-change-reset-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32807 – WordPress Brevo for WooCommerce plugin <= 4.0.17 - Arbitrary File Download and Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-32807
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Brevo Sendinblue for WooCommerce allows Relative Path Traversal, Manipulating Web Input to File System Calls.This issue affects Sendinblue for WooCommerce: from n/a through 4.0.17. Limitación inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en Brevo para WooCommerce Sendinblue para WooCommerce. Este problema afecta a Sendinblue para WooCommerce: desde n/a hasta 4.0.17. The Brevo for WooCommerce plugin for WordPress is vulnerable to arbitrary file download and deletion in all versions up to, and including, 4.0.17. This is due to the plugin not properly validating file names in the get_file_contents and delete_attachment functions. • https://patchstack.com/database/vulnerability/woocommerce-sendinblue-newsletter-subscription/wordpress-brevo-for-woocommerce-plugin-4-0-17-arbitrary-file-download-and-deletion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31434 – WordPress Newsletter plugin <= 8.0.6 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-31434
Cross-Site Request Forgery (CSRF) vulnerability in Stefano Lissa & The Newsletter Team Newsletter.This issue affects Newsletter: from n/a through 8.0.6. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Stefano Lissa y The Newsletter Team Newsletter. Este problema afecta a Newsletter: desde n/a hasta 8.0.6. The Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0.6. This is due to missing or incorrect nonce validation in the main/welcome.php file. • https://patchstack.com/database/vulnerability/newsletter/wordpress-newsletter-plugin-8-0-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31110 – WordPress Contact Form 7 Newsletter plugin <= 2.2 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-31110
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Katz Web Services, Inc. Contact Form 7 Newsletter allows Reflected XSS.This issue affects Contact Form 7 Newsletter: from n/a through 2.2. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Cross-site Scripting') en Contact Form 7 Newsletter para WordPress de Katz Web Services, Inc. permite XSS reflejado. Este problema afecta el boletín del Formulario de contacto 7: desde n/a hasta 2.2. The Contact Form 7 Newsletter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. • https://patchstack.com/database/vulnerability/contact-form-7-newsletter/wordpress-contact-form-7-newsletter-plugin-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30522 – WordPress Newsletter plugin <= 8.2.0 - IP Blacklist Bypass vulnerability
https://notcve.org/view.php?id=CVE-2024-30522
Authentication Bypass by Spoofing vulnerability in Stefano Lissa & The Newsletter Team Newsletter allows Functionality Bypass.This issue affects Newsletter: from n/a through 8.2.0. Vulnerabilidad de omisión de autenticación mediante suplantación de identidad en Stefano Lissa & The Newsletter Team Newsletter permite la omisión de funcionalidad. Este problema afecta a Newsletter: desde n/a hasta 8.2.0. The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 8.2.0 due to insufficient IP address validation. This makes it possible for unauthenticated attackers to spoof their IP address and bypass the blocklist. • https://patchstack.com/database/vulnerability/newsletter/wordpress-newsletter-plugin-8-2-0-ip-blacklist-bypass-vulnerability?_s_id=cve • CWE-290: Authentication Bypass by Spoofing CWE-348: Use of Less Trusted Source •