CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0825 – Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update
https://notcve.org/view.php?id=CVE-2022-0825
14 Mar 2022 — The Amelia WordPress plugin before 1.0.49 does not have proper authorisation when managing appointments, allowing any customer to update other's booking status, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. El plugin Amelia de WordPress versiones hasta 1.0.49, no dispone de la autorización apropiada cuando administra las citas, permitiendo a cualquier cliente actualizar el estado de las reservas de otros, así como recuperar ... • https://plugins.trac.wordpress.org/changeset/2693545 • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0720 – Amelia < 1.0.47 - Customer+ Arbitrary Appointments Update and Sensitive Data Disclosure
https://notcve.org/view.php?id=CVE-2022-0720
01 Mar 2022 — The Amelia WordPress plugin before 1.0.47 does not have proper authorisation when managing appointments, allowing any customer to update other's booking, as well as retrieve sensitive information about the bookings, such as the full name and phone number of the person who booked it. El plugin Amelia de WordPress versiones anteriores a 1.0.47, no dispone de una autorización adecuada cuando administra las citas, lo que permite a cualquier cliente actualizar la reserva de otro, así como recuperar información c... • https://wpscan.com/vulnerability/435ef99c-9210-46c7-80a4-09cd4d3d00cf • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0616 – Amelia < 1.0.46 - Arbitrary Customer Deletion via CSRF
https://notcve.org/view.php?id=CVE-2022-0616
23 Feb 2022 — The Amelia WordPress plugin before 1.0.47 does not have CSRF check in place when deleting customers, which could allow attackers to make a logged in admin delete arbitrary customers via a CSRF attack El plugin Amelia de WordPress versiones anteriores a 1.0.47, no presenta una comprobación de tipo CSRF cuando son eliminados clientes, lo que podría permitir a atacantes hacer que un administrador conectado elimine clientes arbitrarios por medio de un ataque de tipo CSRF • https://wpscan.com/vulnerability/7c63d76e-34ca-4778-8784-437d446c16e0 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0627 – Amelia < 1.0.46 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0627
23 Feb 2022 — The Amelia WordPress plugin before 1.0.47 does not sanitize and escape the code parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. El plugin Amelia de WordPress versiones anteriores a 1.0.47, no sanea y escapa del parámetro code antes de devolverlo a una página de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/fd8c720a-a94a-438f-b686-3a734e3c24e4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0687 – Amelia < 1.0.46 - Manager+ RCE
https://notcve.org/view.php?id=CVE-2022-0687
23 Feb 2022 — The Amelia WordPress plugin before 1.0.47 stores image blobs into actual files whose extension is controlled by the user, which may lead to PHP backdoors being uploaded onto the site. This vulnerability can be exploited by logged-in users with the custom "Amelia Manager" role. El plugin Amelia de WordPress versiones anteriores a 1.0.47, almacena los blobs de imágenes en archivos reales cuya extensión es controlada por el usuario, lo que puede conllevar a una carga de backdoors PHP en el sitio. Esta vulnerab... • https://wpscan.com/vulnerability/3cf05815-9b74-4491-a935-d69a0834146c • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24197 – wpDataTables < 3.4.2 - Improper Access Control leading to Table Permission Takeover
https://notcve.org/view.php?id=CVE-2021-24197
16 Mar 2021 — The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table. El plugin wpDataTables – Tables... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii • CWE-284: Improper Access Control •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24198 – wpDataTables < 3.4.2 - Improper Access Control leading to Table Data Deletion
https://notcve.org/view.php?id=CVE-2021-24198
16 Mar 2021 — The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table. El plugin wpDataTables – Tables & Table Charts premium WordPress versiones anteriores... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24199 – wpDataTables < 3.4.2 - Blind SQL Injection via start Parameter
https://notcve.org/view.php?id=CVE-2021-24199
16 Mar 2021 — The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application. El plugin wp DataTables – Tables & Table Charts premium WordPress versiones anteriores a 3.4.2, perm... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24200 – wpDataTables < 3.4.2 - Blind SQL Injection via length Parameter
https://notcve.org/view.php?id=CVE-2021-24200
16 Mar 2021 — The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application. El plugin wpDataTables – Tables & Table Charts premium WordPress versiones anteriores a 3.4.2, perm... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-6011 – wpDataTables Lite plugin <= 2.0.11 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-6011
16 Oct 2019 — Cross-site scripting vulnerability in wpDataTables Lite Version 2.0.11 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de tipo cross-site scripting en wpDataTables Lite Versión 2.0.11 y anteriores, permite a atacantes remotos inyectar script web o HTML arbitrario por medio de vectores no especificados. • http://jvn.jp/en/jp/JVN14776551/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •