CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0832 – Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_install_weglot
https://notcve.org/view.php?id=CVE-2023-0832
The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the install_weglot function called via the admin_action_install_weglot action. This makes it possible for unauthenticated attackers to perform an unauthorized install of the Weglot Translate plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/under-construction-page/trunk/under-construction.php?rev=2848705#L2389 https://www.wordfence.com/threat-intel/vulnerabilities/id/4fa84388-3597-4a54-9ae8-d6e04afe9061?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0831 – Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_ucp_dismiss_notice
https://notcve.org/view.php?id=CVE-2023-0831
The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the dismiss_notice function called via the admin_action_ucp_dismiss_notice action. This makes it possible for unauthenticated attackers to dismiss plugin notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/under-construction-page/trunk/under-construction.php?rev=2848705#L901 https://www.wordfence.com/threat-intel/vulnerabilities/id/031a1203-6b0d-453b-be8a-12e7f55cb401?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1582 – External Links in New Window / New Tab < 1.43 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1582
The External Links in New Window / New Tab WordPress plugin before 1.43 does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible. El plugin External Links in New Window / New Tab de WordPress versiones anteriores a 1.43, no escapa correctamente las URLs que concatena en los manejadores de eventos onclick, lo que hace posible ataques de tipo Cross-Site Scripting Almacenado • https://wpscan.com/vulnerability/cbb75383-4351-4488-aaca-ddb0f6f120cd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1583 – External Links in New Window / New Tab < 1.43 - Tabnabbing
https://notcve.org/view.php?id=CVE-2022-1583
The External Links in New Window / New Tab WordPress plugin before 1.43 does not ensure window.opener is set to "null" when links to external sites are clicked, which may enable tabnabbing attacks to occur. El plugin External Links in New Window / New Tab de WordPress versiones anteriores a 1.43, no es asegurado de que window.opener sea establecido en "null" cuando hace clic en enlaces a sitios externos, lo que podría permitir que sean producidos ataques de tabnabbing • https://wpscan.com/vulnerability/aa9d727c-4d17-4220-b8cb-e6dec30361a9 • CWE-1022: Use of Web Link to Untrusted Target with window.opener Access •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36908 – WordPress WP Reset PRO Premium Plugin <= 5.98 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2021-36908
Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) conllevando a un restablecimiento de la base de datos en el plugin WP Reset PRO Premium de WordPress (versiones anteriores a 5.98 incluyéndola) permite a atacantes engañar a los autenticados para que realicen un restablecimiento involuntario de la base de datos. Cross-Site Request Forgery (CSRF) vulnerability leading to Database Reset in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows attackers to trick authenticated into making unintentional database reset. • https://patchstack.com/database/vulnerability/wp-reset/wordpress-wp-reset-pro-premium-plugin-5-98-cross-site-request-forgery-csrf-vulnerability-leading-to-database-reset?_s_id=cve https://patchstack.com/wp-reset-pro-critical-vulnerability-fixed • CWE-352: Cross-Site Request Forgery (CSRF) •