CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1416 – Responsive Contact Form Builder & Lead Generation Plugin <= 1.8.9 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-1416
11 Apr 2024 — The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to unauthorized access to functionality due to a missing capability check on several functions in all versions up to, and including, 1.8.9. This makes it possible for unauthenticated attackers to invoke those functions. El complemento Responsive Contact Form Builder & Lead Generation Plugin para WordPress es vulnerable al acceso no autorizado a la funcionalidad debido a una falta de verificación de capacidad ... • https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/inc/ajax-functions.php#L21 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27431 – WordPress Big Store Theme <= 1.9.3 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-27431
05 Mar 2023 — Cross-Site Request Forgery (CSRF) vulnerability in ThemeHunk Big Store theme <= 1.9.3 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el tema ThemeHunk Big Store en versiones <= 1.9.3. The Big Store plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the default_home and th_activeplugin functions. This makes it possible for unauthenticated attackers to activate arbitrary plugins ... • https://patchstack.com/database/vulnerability/big-store/wordpress-big-store-theme-1-9-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2404 – WP Popup Builder < 1.2.9 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2404
05 Sep 2022 — The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting El plugin WP Popup Builder de WordPress antes de la versión 1.2.9 no sanea y escapa de un parámetro antes de devolverlo a la página, lo que lleva a un Reflected Cross-Site Scripting The WP Popup Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.2.8 due to insufficient input... • https://wpscan.com/vulnerability/0d889dde-b9d5-46cf-87d3-4f8a85cf9b98 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2405 – WP Popup Builder < 1.3.0 - Subscriber+ Arbitrary Popup Deletion
https://notcve.org/view.php?id=CVE-2022-2405
05 Sep 2022 — The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup El plugin WP Popup Builder WordPress antes de la versión 1.2.9 no dispone de autorización y comprobación CSRF en una acción AJAX, lo que permite a cualquier usuario autentificado, como los suscriptores, eliminar Popups arbitrarios The WP Popup Builder plugin for WordPress is vulnerable to authentication bypass in vers... • https://wpscan.com/vulnerability/50037028-2790-47ee-aae1-faf0724eb917 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23180 – Contact Form & Lead Form Elementor Builder Plugin < 1.7.4 - Multiple Subscriber+ Settings Update
https://notcve.org/view.php?id=CVE-2022-23180
01 Feb 2022 — The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.4 doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings El complemento de WordPress Contact Form & Lead Form Elementor Builder anterior a 1.7.4 no tiene autorización ni comprobaciones nonce, lo que podría permitir a cualquier usuario autenticado, como el suscriptor, actualizar y cambiar varias configuraciones. The Contact Form & Lead Form E... • https://plugins.trac.wordpress.org/changeset/2670484 • CWE-862: Missing Authorization •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23179 – Contact Form & Lead Form Elementor Builder < 1.7.0 - Multiple Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-23179
05 Jan 2022 — The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed El complemento de WordPress Contact Form & Lead Form Elementor Builder anterior a 1.7.0 no escapa de algunos de sus campos de formulario antes de mostrarlos en atributos, lo que podría permitir a usuarios con altos priv... • https://wpscan.com/vulnerability/90b8af99-e4a1-4076-99fa-efe805dd4be4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 12%CPEs: 1EXPL: 1CVE-2021-24967 – Contact Form & Lead Form Elementor Builder < 1.6.4 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24967
29 Nov 2021 — The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads El plugin Contact Form & Lead Form Elementor Builder de WordPress versiones anteriores a 1.6.4, no sanea ni escapa de algunos valores de leads, lo que podría permitir a usuarios no autenticados llevar a cabo ataques de tipo Cross-Site Scripting contra e... • https://wpscan.com/vulnerability/4e165122-4746-42de-952e-a3bf51393a74 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •