CVSS: 6.3EPSS: 0%CPEs: 425EXPL: 0CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve https://wpscan.com/vulnerability/6dae6dca-7474-4008-9fe5-4c62b9f12d0a https://freemius.com/blog/managing-security-issues-open-source-freemius-sdk-security-disclosure https://wpdirectory.net/search/01FWPVWA7BC5DYGZHNSZQ9QMN5 https://wpdirectory.net/search/01G02RSGMFS1TPT63FS16RWEYR https://web.archive.org/web/20220225174410/https%3A//www.pluginvulnerabilities.com/2022/02/25/our-security-review-of-wordpress-plugin-found-freemius-li • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25025 – Event Calendar < 1.1.51 - Subscriber+ Event Creation
https://notcve.org/view.php?id=CVE-2021-25025
The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events El plugin EventCalendar de WordPress versiones anteriores a 1.1.51, no presenta una autorización adecuada y comprobaciones CSRF en las acciones add_calendar_event AJAX, permitiendo a los usuarios con un rol tan bajo como el de suscriptor crear eventos • https://wpscan.com/vulnerability/24fb4eb4-9fe1-4433-8844-8904eaf13c0e • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25024 – Event Calendar < 1.1.51 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25024
The EventCalendar WordPress plugin before 1.1.51 does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues El plugin EventCalendar de WordPress versiones anteriores a 1.1.51, no escapa a algunas entradas del usuario antes de devolverlas en atributos, conllevando a problemas de tipo Cross-SIte Scripting Reflejado • https://wpscan.com/vulnerability/08864b76-d898-4dfe-970d-d7cc1b1115a7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2015-5485 – The Events Calendar: Eventbrite Tickets < 3.10.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-5485
Cross-site scripting (XSS) vulnerability in the Event Import page (import-eventbrite-events.php) in the Modern Tribe Eventbrite Tickets plugin before 3.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "error" parameter to wp-admin/edit.php. Vulnerabilidad de XSS en la página Event Import (import-eventbrite-events.php) en el plugin Modern Tribe Eventbrite Tickets en versiones anteriores a 3.10.2 para WordPress, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro 'error' a wp-admin/edit.php. Reflected Cross-site scripting (XSS) vulnerability in the Event Import page (import-eventbrite-events.php) in the Modern Tribe Eventbrite Tickets plugin before 3.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "error" parameter to wp-admin/edit.php. The WordPress Eventbrite Tickets plugin from The Events Calendar version 3.9.6 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/132676/The-Events-Calender-Eventbrite-Tickets-3.9.6-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Jul/67 https://security.dxw.com/advisories/reflected-xss-in-the-events-calendar-eventbrite-tickets-allows-unauthenticated-users-to-do-almost-anything-an-admin-can https://theeventscalendar.com/release-eventbrite-tickets-3-10-2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •