CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29414 – WordPress Subscribe To Comments Reloaded plugin <= 211130 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-29414
Multiple (13x) Cross-Site Request Forgery (CSRF) vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin <= 211130 on WordPress allows attackers to clean up Log archive, download system info file, plugin system settings, plugin options settings, generate a new key, reset all options, change notifications settings, management page settings, comment form settings, manage subscriptions > mass update settings, manage subscriptions > add a new subscription, update subscription, delete Subscription. Múltiples (13x) vulnerabilidades de tipo Cross-Site Request Forgery (CSRF) en el plugin Subscribe To Comments Reloaded de WPKube versiones anteriores a 211130 incluyéndola en WordPress, permite a atacantes limpiar el archivo de registro, descargar el archivo de información del sistema, la configuración del sistema del plugin, la configuración de las opciones del plugin, generar una nueva clave, restablecer todas las opciones, cambiar la configuración de las notificaciones, la configuración de la página de administración, la configuración del formulario de comentarios, administrar las suscripciones ) configuración de actualización masiva, administrar las suscripciones ) añadir una nueva suscripción, actualizar la suscripción, eliminar la suscripción • https://patchstack.com/database/vulnerability/subscribe-to-comments-reloaded/wordpress-subscribe-to-comments-reloaded-plugin-211130-multiple-cross-site-request-forgery-csrf-vulnerabilities https://wordpress.org/plugins/subscribe-to-comments-reloaded • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24745 – About Author Box < 1.0.2 - Contributor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24745
The About Author Box WordPress plugin before 1.0.2 does not sanitise and escape the Social Profiles field values before outputting them in attributes, which could allow user with a role as low as contributor to perform Cross-Site Scripting attacks. El plugin About Author Box de WordPress versiones anteriores a 1.0.2, no sanea y escapa de los valores del campo Social Profiles antes de mostrarlos en los atributos, lo que podría permitir a un usuario con un rol tan bajo como el de colaborador llevar a cabo ataques de tipo Cross-Site Scripting • https://wpscan.com/vulnerability/a965aeca-d8f9-4070-aa0d-9c9b95493dda • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24682 – Cool Tag Cloud < 2.26 - Contributor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24682
The Cool Tag Cloud WordPress plugin before 2.26 does not escape the style attribute of the cool_tag_cloud shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. El plugin Cool Tag Cloud de WordPress versiones anteriores a 2.26, no escapa del atributo style del shortcode cool_tag_cloud, lo que podría permitir a usuarios con un rol tan bajo como el de Contribuyente llevar a cabo ataques de tipo Cross-Site Scripting • https://wpscan.com/vulnerability/7dfdd50d-77f9-4f0a-8673-8f033c0b0e05 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4362 – Kiwi Social Sharing 2.1.0 - 2.1.2 - Arbitrary Options Change
https://notcve.org/view.php?id=CVE-2021-4362
The Kiwi Social Share plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the kiwi_social_share_get_option() function called via the kiwi_social_share_get_option AJAX action in version 2.1.0. This makes it possible for unauthenticated attackers to read and modify arbitrary options on a WordPress site that can be used for complete site takeover. This was a previously fixed vulnerability that was reintroduced in this version. • https://blog.nintechnet.com/wordpress-kiwi-social-sharing-plugin-fixed-critical-vulnerability https://wordpress.org/plugins/kiwi-social-share/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/8148b6d0-190a-4b97-8af7-edd6943116d1?source=cve • CWE-862: Missing Authorization •