CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5653 – WassUp Real Time Analytics <= 1.9.4.5 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2023-5653
The WassUp Real Time Analytics WordPress plugin through 1.9.4.5 does not escape IP address provided via some headers before outputting them back in an admin page, allowing unauthenticated users to perform Stored XSS attacks against logged in admins El complemento WassUp Real Time Analytics de WordPress hasta la versión 1.9.4.5 no escapa a la dirección IP proporcionada a través de algunos encabezados antes de enviarlos nuevamente a una página de administración, lo que permite a los usuarios no autenticados realizar ataques XSS Almacenados contra administradores que hayan iniciado sesión. The WassUp Real Time Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via spoofed IP Addresses in all versions up to, and including, 1.9.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. • https://wpscan.com/vulnerability/76316621-1987-44ea-83e5-6ca884bdd1c0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5805 – SourceCodester Simple Real Estate Portal System view_estate.php sql injection
https://notcve.org/view.php?id=CVE-2023-5805
A vulnerability was found in SourceCodester Simple Real Estate Portal System 1.0. It has been classified as critical. Affected is an unknown function of the file view_estate.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. • https://github.com/lxxcute/Bug/blob/main/Real%20Estate%20Portal%20System%20view_estate.php%20has%20Sqlinjection.pdf https://vuldb.com/?ctiid.243618 https://vuldb.com/?id.243618 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28532 – Real Estate Directory <= 1.0.5 - Cross-Site Request Forgery via rdm_activate_plugin
https://notcve.org/view.php?id=CVE-2023-28532
The Real Estate Directory theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on the rdm_activate_plugin function. This makes it possible for unauthenticated attackers to activate arbitrary plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0364 – real.Kit < 5.1.1 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0364
The real.Kit WordPress plugin before 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The real.Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 5.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/e56759ae-7530-467a-b9ba-e9a404afb872 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1646 – Simple Real Estate Pack <= 1.4.8 - Admin+ Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-1646
The Simple Real Estate Pack WordPress plugin through 1.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed El plugin Simple Real Estate Pack de WordPress versiones hasta 1.4.8, no sanea ni escapa de algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting cuando la capacidad unfiltered_html no está permitida • https://wpscan.com/vulnerability/8a32896d-bf1b-4d7b-8d84-dc38b877928b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •