CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5382 – Funnelforms Free <= 3.4 - Cross-Site Request Forgery to Arbitrary Post Deletion
https://notcve.org/view.php?id=CVE-2023-5382
The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation on the fnsf_delete_posts function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Funnelforms Free para WordPress es vulnerable a Cross-Site Request Forgery en versiones hasta la 3.4 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función fnsf_delete_posts. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/72e4428b-d2cd-471f-9821-947f4601fd64?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5419 – Funnelforms Free <= 3.4 - Missing Authorization to Test Email Sending
https://notcve.org/view.php?id=CVE-2023-5419
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_test_mail function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to send test emails to an arbitrary email address. El complemento Funnelforms Free para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función fnsf_af2_test_mail en versiones hasta la 3.4 incluida. Esto hace posible que atacantes autenticados, con permisos de nivel de suscriptor y superiores, envíen correos electrónicos de prueba a una dirección de correo electrónico arbitraria. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/64248d15-e6a7-442f-b269-e9f629d297d3?source=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5385 – Funnelforms Free <= 3.4 - Missing Authorization to Arbitrary Post Duplication
https://notcve.org/view.php?id=CVE-2023-5385
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_copy_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to create copies of arbitrary posts. El complemento Funnelforms Free para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función fnsf_copy_posts en versiones hasta la 3.4 incluida. Esto hace posible que atacantes autenticados, con permisos de nivel de suscriptor y superiores, creen copias de publicaciones arbitrarias. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/e2719afc-e52c-4fcc-b030-2f6aaddb5ab9?source=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5386 – Funnelforms Free <= 3.4 - Missing Authorization to Arbitrary Post Deletion
https://notcve.org/view.php?id=CVE-2023-5386
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts, including administrator posts, and posts not related to the Funnelforms Free plugin. El complemento Funnelforms Free para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función fnsf_delete_posts en versiones hasta la 3.4 incluida. Esto hace posible que atacantes autenticados, con permisos de nivel de suscriptor y superiores, eliminen publicaciones arbitrarias, incluidas publicaciones de administrador y publicaciones no relacionadas con el complemento Funnelforms Free. The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_posts function in versions up to, and including, 3.4. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/400fe58b-8203-4fd5-a3d3-d30eb1b8cd85?source=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5387 – Funnelforms Free <= 3.4 - Missing Authorization to Enable/Disable Dark Mode
https://notcve.org/view.php?id=CVE-2023-5387
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_trigger_dark_mode function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to enable or disable the dark mode plugin setting. El complemento Funnelforms Free para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función fnsf_af2_trigger_dark_mode en versiones hasta la 3.4 incluida. Esto hace posible que los atacantes autenticados, con permisos de nivel de suscriptor y superiores, habiliten o deshabiliten la configuración del complemento del modo oscuro. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/ccb34b44-9fa4-4ebe-b217-b2a42920247f?source=cve • CWE-862: Missing Authorization •