CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2019-14787 – Newsletters <= 4.6.18 - Cross-Site Scripting via contentarea Parameter
https://notcve.org/view.php?id=CVE-2019-14787
01 Jul 2019 — The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=newsletters_load_new_editor contentarea parameter. El plugin Tribulant Newsletters en versiones anteriores a 4.6.19 para WordPress, permite un ataque de tipo XSS por medio del parámetro contentarea de wp-admin/admin-ajax.php?action=newsletters_load_new_editor. • https://wordpress.org/plugins/newsletters-lite/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2019-14788 – Newsletters <= 4.6.18 - Directory Traversal
https://notcve.org/view.php?id=CVE-2019-14788
01 Jul 2019 — wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers[1][1] parameter in conjunction with an exportfile=../ value. El archivo wp-admin/admin-ajax.php?action=newsletters_exportmultiple en el plugin Tribulant Newsletters versiones anteriores a 4.6.19 para WordPress, permite un salto de directorio con ejecución de código PHP remota resultante por medio del ... • https://wordpress.org/plugins/newsletters-lite/#developers • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2018-20987 – Newsletters <= 4.6.8.5 - Object Injection
https://notcve.org/view.php?id=CVE-2018-20987
12 Mar 2018 — The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP object injection. El plugin newsletters-lite en versiones anteriores a la 4.6.8.6 para WordPress tiene inyección de objetos PHP. • https://wordpress.org/plugins/newsletters-lite/#developers • CWE-502: Deserialization of Untrusted Data •