CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2484 – Orbit Fox by ThemeIsle <= 2.10.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via Services and Post Type Grid Widgets
https://notcve.org/view.php?id=CVE-2024-2484
21 Jun 2024 — The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Services and Post Type Grid widgets in all versions up to, and including, 2.10.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Orbit Fox de ThemeIsle para WordPress es vulnerable a Cross... • https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/2.10.33/vendor/codeinwp/elementor-extra-widgets/widgets/elementor/posts-grid.php#L1464 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35682 – WordPress Otter Blocks PRO plugin <= 2.6.11 - Authenticated Sensitive Data Exposure vulnerability
https://notcve.org/view.php?id=CVE-2024-35682
06 Jun 2024 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Themeisle Otter Blocks PRO.This issue affects Otter Blocks PRO: from n/a through 2.6.11. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en Themeisle Otter Blocks PRO. Este problema afecta a Otter Blocks PRO: desde n/a hasta 2.6.11. The Otter Blocks PRO – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up... • https://patchstack.com/database/vulnerability/otter-pro/wordpress-otter-blocks-pro-plugin-2-6-11-authenticated-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35736 – WordPress Visualizer plugin <= 3.11.1 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-35736
06 Jun 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeisle Visualizer.This issue affects Visualizer: from n/a through 3.11.1. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ("inyección SQL") en Themeisle Visualizer. Este problema afecta al Visualizer: desde n/a hasta 3.11.1. The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the saveQuery functi... • https://patchstack.com/database/vulnerability/visualizer/wordpress-visualizer-plugin-3-11-1-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35728 – WordPress Product Addons & Fields for WooCommerce plugin <= 32.0.20 - Content Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-35728
06 Jun 2024 — Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Themeisle PPOM for WooCommerce allows Code Inclusion.This issue affects PPOM for WooCommerce: from n/a through 32.0.20. La neutralización inadecuada de elementos especiales en la salida utilizada por una vulnerabilidad de componente posterior ("inyección") en Themeisle PPOM para WooCommerce permite la inclusión de código. Este problema afecta a PPOM para WooCommerce: desde n/a hasta 32.0.20. T... • https://patchstack.com/database/vulnerability/woocommerce-product-addon/wordpress-product-addons-fields-for-woocommerce-plugin-32-0-20-content-injection-vulnerability?_s_id=cve • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3750 – Visualizer: Tables and Charts Manager for WordPress <= 3.10.15 - Missing Authorization to Arbitrary SQL Execution
https://notcve.org/view.php?id=CVE-2024-3750
15 May 2024 — The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to unauthorized modification and retrieval of data due to a missing capability check on the getQueryData() function in all versions up to, and including, 3.10.15. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform arbitrary SQL queries that can be leveraged for privilege escalation among many other actions. • https://plugins.trac.wordpress.org/browser/visualizer/trunk/classes/Visualizer/Module/Chart.php#L1421 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4635 – Menu Icons by ThemeIsle <= 0.13.13 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
https://notcve.org/view.php?id=CVE-2024-4635
15 May 2024 — The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘add_mime_type’ function in versions up to, and including, 0.13.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/menu-icons/tags/0.13.13/vendor/codeinwp/icon-picker/includes/types/svg.php#L69 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 8%CPEs: 1EXPL: 0CVE-2024-3962 – Product Addons & Fields for WooCommerce <= 32.0.18 - Unauthenticated Arbitrary File Upload via ppom_upload_file
https://notcve.org/view.php?id=CVE-2024-3962
25 Apr 2024 — The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ppom_upload_file function in all versions up to, and including, 32.0.18. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires the PPOM Pro plugin to be installed along with a WooCommerce product that contains a file upload field... • https://plugins.trac.wordpress.org/changeset/3075669/woocommerce-product-addon • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6805 – RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.4.7 - Authenticated(Contributor+) Blind Server-Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-6805
16 Apr 2024 — The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 4.4.7 via the fetch_feed functionality. This makes it possible for authenticated attackers, with contributor access and above, to make web requests to arbitrary locations originating from the web application and can be used to modify information from internal services. NOTE: This vulnerability, exploitab... • https://plugins.trac.wordpress.org/changeset/3070624/feedzy-rss-feeds • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3725 – Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'titleTag'
https://notcve.org/view.php?id=CVE-2024-3725
16 Apr 2024 — The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Grid widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes such as 'titleTag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an inje... • https://plugins.trac.wordpress.org/changeset/3071504/otter-blocks/trunk/inc/render/class-posts-grid-block.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3343 – Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 2.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
https://notcve.org/view.php?id=CVE-2024-3343
10 Apr 2024 — The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Otte... • https://github.com/julio-cfa/CVE-2024-33438 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •