CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46085 – WordPress Wp Ultimate Review Plugin <= 2.2.4 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-46085
16 Oct 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Wpmet Wp Ultimate Review plugin <= 2.2.4 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Wpmet Wp Ultimate Review en versiones <= 2.2.4. The Wp Ultimate Review plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.1. This is due to missing nonce validation on the wur_settings_view() function. This makes it possible for unauthenticated attackers to modify the plugin's setting... • https://patchstack.com/database/vulnerability/wp-ultimate-review/wordpress-wp-ultimate-review-plugin-2-2-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0689 – Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_first_name' shortcode
https://notcve.org/view.php?id=CVE-2023-0689
30 Aug 2023 — The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_first_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter's first name. • https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2517 – Metform Elementor Contact Form Builder <= 3.3.2 - Cross-Site Request Forgery via permalink_setup
https://notcve.org/view.php?id=CVE-2023-2517
22 Jun 2023 — The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.2. This is due to missing or incorrect nonce validation on the permalink_setup function. This makes it possible for unauthenticated attackers to change the permalink structure via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. While nonce verification is implemented, verification only takes place ... • https://plugins.trac.wordpress.org/browser/metform/trunk/plugin.php#L544 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0688 – Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf_thankyou shortcode
https://notcve.org/view.php?id=CVE-2023-0688
08 Jun 2023 — The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_thankyou' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about form submissions, including payment status, and transaction ID. • https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0691 – Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode
https://notcve.org/view.php?id=CVE-2023-0691
08 Jun 2023 — The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_last_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, specifically the submitter's last name. • https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0692 – Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_payment_status' shortcode
https://notcve.org/view.php?id=CVE-2023-0692
08 Jun 2023 — The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_payment_status' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the payment status of arbitrary form submissions. • https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0693 – Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_transaction_id' shortcode
https://notcve.org/view.php?id=CVE-2023-0693
08 Jun 2023 — The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_transaction_id' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the transaction ids of arbitrary form submissions that included payment. • https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0694 – Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf shortcode
https://notcve.org/view.php?id=CVE-2023-0694
08 Jun 2023 — The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about any standard form field of any form submission. • https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0695 – Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode
https://notcve.org/view.php?id=CVE-2023-0695
08 Jun 2023 — The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a specific link. Note that getting the JavaScript to execute still requires user interaction as the victim must visit a crafted link with the form en... • https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0708 – Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_first_name shortcode
https://notcve.org/view.php?id=CVE-2023-0708
08 Jun 2023 — The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf_first_name' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a a page containing the shortcode when the submission id is present in the query string. Note that getting the JavaScript to execute requi... • https://plugins.trac.wordpress.org/browser/metform/trunk/base/shortcode.php?rev=2845078 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •