Page 2 of 9 results (0.006 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters plugin <= 4.8.8 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Tribulant Newsletters en versiones &lt;= 4.8.8. The Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.8. This is due to missing nonce validation on several cases in several functions like admin_groups() and admin_forms(). This makes it possible for unauthenticated attackers to manipulate forms and groups via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/newsletters-lite/wordpress-newsletters-plugin-4-8-8-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2

The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter. El plugin Tribulant Newsletters en versiones anteriores a 4.6.19 para WordPress, permite un ataque de tipo XSS por medio del parámetro contentarea de wp-admin/admin-ajax.php?action=newsletters_load_new_editor. • https://wordpress.org/plugins/newsletters-lite/#developers https://wpvulndb.com/vulnerabilities/9447 https://www.pluginvulnerabilities.com/2019/07/01/reflected-cross-site-scripting-xss-vulnerability-in-newsletters • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value. El archivo wp-admin/admin-ajax.php?action=newsletters_exportmultiple en el plugin Tribulant Newsletters versiones anteriores a 4.6.19 para WordPress, permite un salto de directorio con ejecución de código PHP remota resultante por medio del parámetro subscribers [1][1] en conjunto con un valor exportfile=../. • https://wordpress.org/plugins/newsletters-lite/#developers https://wpvulndb.com/vulnerabilities/9447 https://www.pluginvulnerabilities.com/2019/07/02/there-is-also-an-authenticated-remote-code-execution-rce-vulnerability-in-newsletters • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP object injection. El plugin newsletters-lite en versiones anteriores a la 4.6.8.6 para WordPress tiene inyección de objetos PHP. • https://wordpress.org/plugins/newsletters-lite/#developers https://wpvulndb.com/vulnerabilities/9627 • CWE-502: Deserialization of Untrusted Data •