CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6556 – SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer <= 3.10.8 - Unauthenticated Full Path Disclosure
https://notcve.org/view.php?id=CVE-2024-6556
09 Jul 2024 — The SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.10.8. This is due the plugin utilizing mobiledetect without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for ... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3115079%40smartcrawl-seo&new=3115079%40smartcrawl-seo&sfp_email=&sfph_mail= • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37239 – WordPress Branda plugin <= 3.4.17 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-37239
28 Jun 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPMU DEV Branda allows Stored XSS.This issue affects Branda: from n/a through 3.4.17. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en WPMU DEV Branda permite XSS almacenado. Este problema afecta a Branda: desde n/a hasta 3.4.17. The Branda plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up t... • https://patchstack.com/database/vulnerability/branda-white-labeling/wordpress-branda-plugin-3-4-17-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3352 – Smush – Lazy Load Images, Optimize & Compress Images <= 3.16.4 - Missing Authorization to Resmush List Deletion
https://notcve.org/view.php?id=CVE-2023-3352
20 Jun 2024 — The Smush plugin for WordPress is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the delete_resmush_list() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to delete the resmush list for Nextgen or the Media Library. • https://plugins.trac.wordpress.org/changeset/3105107/wp-smushit/trunk/app/class-ajax.php • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5191 – Branda – White Label WordPress, Custom Login Page Customizer <= 3.4.17 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
https://notcve.org/view.php?id=CVE-2024-5191
20 Jun 2024 — The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Branda – White Label WordPress, Custom L... • https://plugins.trac.wordpress.org/browser/branda-white-labeling/tags/3.4.17/inc/modules/utilities/images.php#L58 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3287 – SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer <= 3.10.2 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-3287
19 Apr 2024 — The SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer plugin for WordPress is vulnerable to unauthorized ld+json description injection due to a missing capability check on the save_settings function in all versions up to, and including, 3.10.2. This makes it possible for unauthenticated attackers to save schema types. El complemento SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer para WordPress es vulnerable a la inyección no autorizada de descripciones ld+json debido a una falta d... • https://plugins.trac.wordpress.org/changeset/3073136/smartcrawl-seo/trunk/includes/core/schema/class-types.php?old=2943058&old_path=smartcrawl-seo%2Ftrunk%2Fincludes%2Fcore%2Fschema%2Fclass-types.php • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3053 – Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.29.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via forminator_form Shortcode
https://notcve.org/view.php?id=CVE-2024-3053
08 Apr 2024 — The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ forminator_form shortcode attribute in versions up to, and including, 1.29.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Forminator – Co... • https://plugins.trac.wordpress.org/changeset/3066927/forminator • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1794 – Forminator <= 1.29.0 - Unauthenticated Stored Cross-Site Scripting via File Upload
https://notcve.org/view.php?id=CVE-2024-1794
29 Mar 2024 — The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. 3gpp file) in all versions up to, and including, 1.29.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Forminator para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de un archivo cargado (por ejemplo,... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3047085%40forminator&old=3028842%40forminator&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0368 – Hustle <= 7.8.3 - Sensitive Information Exposure via Exposed Hubspot API Keys
https://notcve.org/view.php?id=CVE-2024-0368
12 Mar 2024 — The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII. El complemento Hustle – Email Marketing, Lead Generation, Optins, Popups para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 7.8.3 incluida a través de claves API cod... • https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51490 – WordPress Defender Security Plugin <= 4.1.0 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2023-51490
27 Dec 2023 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPMU DEV Defender Security – Malware Scanner, Login Security & Firewall.This issue affects Defender Security – Malware Scanner, Login Security & Firewall: from n/a through 4.1.0. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en WPMU DEV Defender Security: análisis de malware, seguridad de inicio de sesión y firewall. Este problema afecta a Defender Security: análisis de malware, seguridad de inic... • https://patchstack.com/database/vulnerability/defender-security/wordpress-defender-security-plugin-4-1-0-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5949 – SmartCrawl WordPress SEO checker < 3.8.3 - Unauthenticated Password Protected Post Disclosure
https://notcve.org/view.php?id=CVE-2023-5949
23 Nov 2023 — The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthorised users from accessing password-protected posts' content. El complemento SmartCrawl de WordPress anterior a 3.8.3 no impide que usuarios no autorizados accedan al contenido de las publicaciones protegidas con contraseña. The Simple Social Media Share Buttons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.2 via meta tags. This makes it possible for unauthenticated attackers... • https://wpscan.com/vulnerability/3cec27ca-f470-402d-ae3e-271cb59cf407 • CWE-862: Missing Authorization •