CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45072 – WordPress WPML Multilingual CMS premium plugin <= 4.5.13 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-45072
Cross-Site Request Forgery (CSRF) vulnerability in WPML Multilingual CMS premium plugin <= 4.5.13 on WordPress. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento WPML Multilingual CMS premium en WordPress en versión <= 4.5.13. The WPML plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.13. This is due to missing or incorrect nonce validation on an unspecified function. This makes it possible for unauthenticated attackers to enact the status change of translation jobs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/sitepress-multilingual-cms/wordpress-wpml-multilingual-cms-premium-plugin-4-5-13-cross-site-request-forgery-csrf-vulnerability-2?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2018-18069 – WPML <= 3.6.3 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-18069
process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an authenticated theme-localization.php request to wp-admin/admin.php. process_forms en el plugin WPML (también conocido como sitepress-multilingual-cms) hasta la versión 3.6.3 para WordPress tiene Cross-Site Scripting (XSS) mediante cualquier parámetro locale_file_name_ (como locale_file_name_en) en una petición theme-localization.php autenticada a wp-admin/admin.php. process_forms in the WPML (aka sitepress-multilingual-cms) plugin through 3.6.3 for WordPress has XSS via any locale_file_name_ parameter (such as locale_file_name_en) in an unauthenticated theme-localization.php request to wp-admin/admin.php. • https://0x62626262.wordpress.com/2018/10/08/sitepress-multilingual-cms-plugin-unauthenticated-stored-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 4CVE-2015-2315 – WPML < 3.1.9 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-2315
Cross-site scripting (XSS) vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the target parameter in a reminder_popup action to the default URI. Vulnerabilidad XSS en el plugin WPML 3.1.9 de WordPress permite a atacantes remotos inyectar secuencias de comandos secuencias de comandos web arbitrarios o HTML a través del parámetro targer en la acción reminder_popup a la URI por defecto. • https://www.exploit-db.com/exploits/36414 http://klikki.fi/adv/wpml.html http://packetstormsecurity.com/files/130810/WordPress-WPML-XSS-Deletion-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Mar/71 http://wpml.org/2015/03/wpml-security-update-bug-and-fix http://www.securityfocus.com/archive/1/534862/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 4CVE-2015-2791 – WPML <= 3.1.9 - Arbitrary Deletion of Content
https://notcve.org/view.php?id=CVE-2015-2791
The "menu sync" function in the WPML plugin before 3.1.9 for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php. La función 'menu sync' en el plugin WPML anterior a 3.1.9 para WordPress permite a atacantes remotos eliminar mensajes, páginas y menús arbitrarios a través de una solicitud manipulada a sitepress-multilingual-cms/menu/menus-sync.php. • https://www.exploit-db.com/exploits/36414 http://klikki.fi/adv/wpml.html http://packetstormsecurity.com/files/130810/WordPress-WPML-XSS-Deletion-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Mar/71 http://www.securityfocus.com/archive/1/534862/100/0/threaded https://wpml.org/2015/03/wpml-security-update-bug-and-fix • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 4CVE-2015-2314 – WPML <= 3.1.9 - SQL Injection via lang Parameter
https://notcve.org/view.php?id=CVE-2015-2314
SQL injection vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the lang parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed. Vulnerabilidad de inyección SQL en el plugin WPML anterior a 3.1.9 de WordPress permite a atacantes remotos ejecutar comandos arbitrarios SQL a través del parámetro lang en la cabecera Referer HTTP en la acción wp-link-ajax a comments/feed. SQL injection vulnerability in the WPML plugin before 3.1.9.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the lang parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed. • https://www.exploit-db.com/exploits/36414 http://klikki.fi/adv/wpml.html http://packetstormsecurity.com/files/130810/WordPress-WPML-XSS-Deletion-SQL-Injection.html http://seclists.org/fulldisclosure/2015/Mar/71 http://wpml.org/2015/03/wpml-security-update-bug-and-fix http://www.osvdb.org/119541 http://www.securityfocus.com/archive/1/534862/100/0/threaded • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •