CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47840 – WordPress Qode Essential Addons Plugin <= 1.5.2 is vulnerable to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2023-47840
Improper Control of Generation of Code ('Code Injection') vulnerability in Qode Interactive Qode Essential Addons.This issue affects Qode Essential Addons: from n/a through 1.5.2. • https://github.com/RandomRobbieBF/CVE-2023-47840 https://patchstack.com/database/vulnerability/qode-essential-addons/wordpress-qode-essential-addons-plugin-1-5-2-arbitrary-plugin-installation-and-activation-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46480
https://notcve.org/view.php?id=CVE-2023-46480
An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function. Un problema en OwnCast v.0.1.1 permite a un atacante remoto ejecutar código arbitrario y obtener información confidencial a través del parámetro authHost de la función indieauth. • https://github.com/shahzaibak96/CVE-2023-46480 https://github.com/owncast/owncast • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 1CVE-2023-4724 – WP All Export (Free < 1.4.0, Pro < 1.8.6) - Admin+ RCE
https://notcve.org/view.php?id=CVE-2023-4724
The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not validate and sanitise the `wp_query` parameter which allows an attacker to run arbitrary command on the remote server Los complementos Export any WordPress data to XML/CSV de WordPress anterior a 1.4.0 y el complemento WP All Export Pro de WordPress anterior a 1.8.6 no validan ni sanitizan el parámetro `wp_query` que permite a un atacante ejecutar comandos arbitrarios en el servidor remoto The Export any WordPress data to XML/CSV plugin for WordPress is vulnerable to Remote Code Execution in versions up to 1.4.1, and in versions up to 1.8.6 in the PRO version via the 'wp_query' parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server. • https://wpscan.com/vulnerability/48820f1d-45cb-4f1f-990d-d132bfc5536f • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28812
https://notcve.org/view.php?id=CVE-2023-28812
There is a buffer overflow vulnerability in a web browser plug-in could allow an attacker to exploit the vulnerability by sending crafted messages to computers installed with this plug-in, which could lead to arbitrary code execution or cause process exception of the plug-in. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikvision-web-browser-plug-in-locals • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48285 – WordPress Accept Stripe Payments plugin <= 2.0.79 - Content Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-48285
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Tips and Tricks HQ Stripe Payments allows Code Injection.This issue affects Stripe Payments: from n/a through 2.0.79. Neutralización inadecuada de etiquetas HTML relacionadas con scripts en una vulnerabilidad de página web (XSS básico) en Tips and Tricks HQ Stripe Payments permite la inyección de código. Este problema afecta a Stripe Payments: desde n/a hasta 2.0.79. The Accept Stripe Payments plugin for WordPress is vulnerable to Content Injection in all versions up to, and including, 2.0.79. This is due to payment data not properly being sanitized in the get_billing_details() function. • https://patchstack.com/database/vulnerability/stripe-payments/wordpress-accept-stripe-payments-plugin-2-0-79-content-injection-vulnerability?_s_id=cve • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •