CVE-2023-27460 – WordPress CP Contact Form with PayPal plugin <= 1.3.34 - Missing Authorization Leading To Feedback Submission vulnerability
https://notcve.org/view.php?id=CVE-2023-27460
Missing Authorization vulnerability in CodePeople, paypaldev CP Contact Form with Paypal allows Functionality Misuse.This issue affects CP Contact Form with Paypal: from n/a through 1.3.34. Vulnerabilidad de autorización faltante en CodePeople, paypaldev CP Contact Form with Paypal permite el uso indebido de la funcionalidad. Este problema afecta a CP Contact Form with Paypal: desde n/a hasta 1.3.34. The CP Contact Form with Paypal plugin for WordPress is vulnerable to missing authorization on the 'cpcfwpp_feedback' function in versions up to, and including, 1.3.34. This allows authenticated attackers, with subscriber-level capabilities or above, to submit feedback to the plugin developers, which is intended to be a functionality reserved for administrators. • https://patchstack.com/database/vulnerability/cp-contact-form-with-paypal/wordpress-cp-contact-form-with-paypal-plugin-1-3-34-missing-authorization-leading-to-feedback-submission-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2022-48345
https://notcve.org/view.php?id=CVE-2022-48345
sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities. • https://github.com/braintree/sanitize-url/commit/d4bdc89f1743fe3cdb7c3f24b06e4c875f349b0c https://github.com/braintree/sanitize-url/compare/v6.0.1...v6.0.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-23785 – WordPress Exquisite PayPal Donation Plugin <= v2.0.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23785
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in DgCult Exquisite PayPal Donation plugin <= v2.0.0 versions. The Exquisite PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/exquisite-paypal-donation/wordpress-exquisite-paypal-donation-plugin-v2-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-25714 – Quick Paypal Payments <= 5.7.25 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-25714
The Quick Paypal Payments plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and nonce check on the 'download_logs' function in versions up to, and including, 5.7.25. This allows unauthenticated attackers to export and delete payment messages and modify payment message options. • CWE-862: Missing Authorization •
CVE-2023-25026 – PayPal Brasil para WooCommerce <= 1.4.2 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-25026
The PayPal Brasil para WooCommerce Plugin is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on multiple functions using the WooCommerce API. This makes it possible for unauthenticated attackers to process checkouts and billing agreements via a forged request granted they can trick another site user into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •