CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22691 – WordPress Category Specific RSS feed Subscription Plugin <= v2.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-22691
20 Jan 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Tips and Tricks HQ, Ruhul Amin Category Specific RSS feed Subscription plugin <= v2.1 versions. The Category Specific RSS feed Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1. This is due to missing nonce validation on the category_specific_option_page function used to control plugin settings. This makes it possible for unauthenticated attackers to update plugin settings via a forged reques... • https://patchstack.com/database/vulnerability/category-specific-rss-feed-menu/wordpress-category-specific-rss-feed-subscription-plugin-v2-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0275 – Easy Accept Payments for PayPal < 4.9.10 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0275
17 Jan 2023 — The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Easy Accept Payments for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 4.9.9 due to insufficient input saniti... • https://wpscan.com/vulnerability/aab5d803-d621-4b12-a901-ff4447334d88 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4672 – WordPress Simple Shopping Cart < 4.6.2 - Contributor+ Stored XSS via Shortcode
https://notcve.org/view.php?id=CVE-2022-4672
27 Dec 2022 — The WordPress Simple Shopping Cart WordPress plugin before 4.6.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. El complemento Simple Shopping Cart de WordPress anterior a 4.6.2 no valida ni escapa algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría... • https://wpscan.com/vulnerability/6500271f-9d1c-40ed-be58-a6cea8d1110d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4542 – Compact WP Audio Player < 1.9.8 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-4542
27 Dec 2022 — The Compact WP Audio Player WordPress plugin before 1.9.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. El complemento Compact WP Audio Player de WordPress anterior a 1.9.8 no valida ni escapa algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría per... • https://wpscan.com/vulnerability/f0bef96f-dfe2-4988-adf8-e1bd493c5242 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4465 – WP Video Lightbox < 1.9.7 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-4465
21 Dec 2022 — The WP Video Lightbox WordPress plugin before 1.9.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin. Las versiones del complemento WP Video Lightbox de WordPress anteriores a 1.9.7 no validan ni escapan algunos de sus atributos de código corto antes de devolverlos a la página, lo que podr... • https://wpscan.com/vulnerability/28abe589-1371-4ed2-90b6-2bb96c93832c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-44737 – WordPress All In One WP Security plugin <= 5.1.0 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-44737
22 Nov 2022 — Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) – Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress. Múltiples vulnerabilidades de Cross-Site Request Forgery en el complemento All-In-One Security (AIOS) Security and Firewall en WordPress en versiones <= 5.1.0. The All In One WP Security & Firewall plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to incorrect nonce validation on the function... • https://patchstack.com/database/vulnerability/all-in-one-wp-security-and-firewall/wordpress-all-in-one-wp-security-plugin-5-1-0-multiple-cross-site-request-forgery-csrf-vulnerabilities?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3822 – Donations via PayPal < 1.9.9 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-3822
04 Nov 2022 — The Donations via PayPal WordPress plugin before 1.9.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). El complemento Donations via PayPal de WordPress anterior a 1.9.9 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ata... • https://wpscan.com/vulnerability/48ec2e4a-0190-4f36-afd1-d5799ba28c13 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2189 – WP Video Lightbox < 1.9.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2189
30 Jun 2022 — The WP Video Lightbox WordPress plugin before 1.9.5 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers El plugin WP Video Lightbox de WordPress versiones anteriores a 1.9.5, no escapa del parámetro $_SERVER["REQUEST_URI"] antes de devolverlo en un atributo, lo que podría conllevar a un ataque de tipo Cross-Site Scripting Reflejado en navegadores antiguos The WP Video Lightbox plugin for WordP... • https://wpscan.com/vulnerability/b6ed4d64-ee98-41bd-a97a-8350c2a8a546 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2194 – Accept Stripe Payments < 2.0.64 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2194
27 Jun 2022 — The Accept Stripe Payments WordPress plugin before 2.0.64 does not sanitize and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Accept Stripe Payments de WordPress versiones anteriores a 2.0.64, no sanea y escapa de algunas de sus configuraciones, permitiendo a usuarios con altos privilegios como el administrador llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando ... • https://wpscan.com/vulnerability/ecf4b707-dea9-42d0-9ade-d788a9f97190 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1695 – WP Simple Adsense Insertion < 2.1 - Inject ads and javascript via CSRF
https://notcve.org/view.php?id=CVE-2022-1695
12 May 2022 — The WP Simple Adsense Insertion WordPress plugin before 2.1 does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form. El plugin WP Simple Adsense Insertion de WordPress versiones anteriores a 2.1, no lleva a cabo comprobaciones de tipo CSRF en las actualizaciones de su página de administración, lo que permite a un atacante engañar a un usuario con sesión iniciada para manipular anuncios e... • https://wpscan.com/vulnerability/2ac5b87b-1390-41ce-af6e-c50e5709baaa • CWE-352: Cross-Site Request Forgery (CSRF) •