CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45632 – WordPress Video Player Plugin <= 1.5.22 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-45632
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WebDorado SpiderVPlayer plugin <= 1.5.22 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada en el complemento WebDorado SpiderVPlayer en versiones <= 1.5.22. The Video Player plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in versions up to, and including, 1.5.22 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/player/wordpress-spidervplayer-plugin-1-5-22-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2655 – Contact Form by WD <= 1.13.23 - Admin+ SQLi
https://notcve.org/view.php?id=CVE-2023-2655
The Contact Form by WD WordPress plugin through 1.13.23 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin El complemento Contact Form de WD WordPress hasta la versión 1.13.23 no sanitiza ni escapa adecuadamente un parámetro antes de usarlo en una declaración SQL, lo que genera una inyección de SQL explotable por usuarios con privilegios elevados, como el administrador. The Contact Form Maker plugin for WordPress is vulnerable to blind SQL Injection in versions before 1.13.23 due to insufficient escaping on a user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with admin-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://wpscan.com/vulnerability/b3f2d38f-8eeb-45e9-bb58-2957e416e1cd • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24625 – SpiderCatalog <= 1.7.3 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24625
The SpiderCatalog WordPress plugin through 1.7.3 does not sanitise or escape the 'parent' and 'ordering' parameters from the admin dashboard before using them in a SQL statement, leading to a SQL injection when adding a category El plugin SpiderCatalog de WordPress versiones hasta 1.7.3, no sanea ni escapa de los parámetros "parent" y "ordering" del panel de administración antes de usarlos en una sentencia SQL, conllevando a una inyección SQL cuando se añade una categoría • https://codevigilant.com/disclosure/2021/wp-plugin-catalog https://wpscan.com/vulnerability/33e4d7c6-fa6f-459f-84b9-732ec40088b8 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24426 – Backup by 10Web <= 1.0.20 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24426
The Backup by 10Web – Backup and Restore Plugin WordPress plugin through 1.0.20 does not sanitise or escape the tab parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue El plugin de WordPress Backup by 10Web - Backup and Restore versiones hasta 1.0.20, no sanea o escapa del parámetro tab antes de emitirlo en la página, conllevando a un problema de tipo Cross-Site Scripting reflejado • https://m0ze.ru/vulnerability/%5B2021-05-23%5D-%5BWordPress%5D-%5BCWE-79%5D-Backup-by-10Web-WordPress-Plugin-v1.0.20.txt https://wpscan.com/vulnerability/48464b3f-fe57-40fe-8868-398a36099fb9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-11557 – WDContactFormBuilder <= 1.0.68 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-11557
The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized. El plugin WebDorado Contact Form Builder versión anterior a la 1.0.69 para Wordpress tiene Cross-Site Request Forgery (CSRF) mediante el parámetro de acción wp-admin/admin-ajax.php. Resulta en una inserción de archivo a través de un salto de directorio debido a una discrepancia entre el valor $_POST['action'] y el valor $_GET['action'] ya que el último no está saneado. • http://seclists.org/fulldisclosure/2019/Apr/35 https://lists.openwall.net/full-disclosure/2019/04/23/1 https://wordpress.org/plugins/contact-form-builder/#developers https://wpvulndb.com/vulnerabilities/9260 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-352: Cross-Site Request Forgery (CSRF) •