CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2023-47557 – Visitors Traffic Real Time Statistics <= 7.2 - Missing Authorization via multiple AJAX actions
https://notcve.org/view.php?id=CVE-2023-47557
The Visitors Traffic Real Time Statistics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 7.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to view visitor statistics. • CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5653 – WassUp Real Time Analytics <= 1.9.4.5 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2023-5653
The WassUp Real Time Analytics WordPress plugin through 1.9.4.5 does not escape IP address provided via some headers before outputting them back in an admin page, allowing unauthenticated users to perform Stored XSS attacks against logged in admins El complemento WassUp Real Time Analytics de WordPress hasta la versión 1.9.4.5 no escapa a la dirección IP proporcionada a través de algunos encabezados antes de enviarlos nuevamente a una página de administración, lo que permite a los usuarios no autenticados realizar ataques XSS Almacenados contra administradores que hayan iniciado sesión. The WassUp Real Time Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via spoofed IP Addresses in all versions up to, and including, 1.9.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. • https://wpscan.com/vulnerability/76316621-1987-44ea-83e5-6ca884bdd1c0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5805 – SourceCodester Simple Real Estate Portal System view_estate.php sql injection
https://notcve.org/view.php?id=CVE-2023-5805
A vulnerability was found in SourceCodester Simple Real Estate Portal System 1.0. It has been classified as critical. Affected is an unknown function of the file view_estate.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. • https://github.com/lxxcute/Bug/blob/main/Real%20Estate%20Portal%20System%20view_estate.php%20has%20Sqlinjection.pdf https://vuldb.com/?ctiid.243618 https://vuldb.com/?id.243618 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28532 – Real Estate Directory <= 1.0.5 - Cross-Site Request Forgery via rdm_activate_plugin
https://notcve.org/view.php?id=CVE-2023-28532
The Real Estate Directory theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on the rdm_activate_plugin function. This makes it possible for unauthenticated attackers to activate arbitrary plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0364 – real.Kit < 5.1.1 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0364
The real.Kit WordPress plugin before 5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The real.Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 5.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/e56759ae-7530-467a-b9ba-e9a404afb872 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •