CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40205 – WordPress wpForo Forum plugin <= 2.0.5 - Insecure direct object references (IDOR) vulnerability
https://notcve.org/view.php?id=CVE-2022-40205
26 Sep 2022 — Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as solved/unsolved. Vulnerabilidad de Referencias Inseguras a Objetos Directos (IDOR) en el complemento wpForo Forum de WordPress en versiones <= 2.0.5 permite a atacantes con roles de suscriptor o de usuario superior marcar cualquier publicación del foro como resuelta/no resuelta. The wpForo Forum plugin for WordPress is vuln... • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-5-insecure-direct-object-references-idor-vulnerability-2?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38144 – WordPress wpForo Forum plugin <= 2.0.5 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-38144
08 Sep 2022 — Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at WordPress. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin wpForo Forum de gVectors Team versiones anteriores a 2.0.5 incluyéndola, en WordPress The wpForo Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated ... • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-5-cross-site-request-forgery-csrf-vulnerability/_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40632 – WordPress wpForo Forum plugin <= 2.0.5 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-40632
08 Sep 2022 — Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 on WordPress leading to topic deletion. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento gVectors Team wpForo Forum de Wordpress en versiones <= 2.0.5, lo que lleva a la eliminación del tema. The wpForo Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on various AJAX actions. T... • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-5-cross-site-request-forgery-csrf-vulnerability-2?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23984 – WordPress wpDiscuz plugin <= 7.3.11 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2022-23984
10 Feb 2022 — Sensitive information disclosure discovered in wpDiscuz WordPress plugin (versions <= 7.3.11). Se ha detectado una divulgación de información confidencial en el plugin wpDiscuz de WordPress (versiones anteriores a 7.3.11 incluyéndola) • https://patchstack.com/database/vulnerability/wpdiscuz/wordpress-wpdiscuz-plugin-7-3-11-sensitive-information-disclosure • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24806 – wpDiscuz < 7.3.4 - Arbitrary Comment Addition/Edition/Deletion via CSRF
https://notcve.org/view.php?id=CVE-2021-24806
11 Oct 2021 — The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary comment. El plugin wpDiscuz de WordPress versiones anteriores a 7.3.4, no comprueba la existencia de CSRF cuando se añaden, editan y eliminan comentarios, lo que podría permitir a un at... • https://wpscan.com/vulnerability/2746101e-e993-42b9-bd6f-dfd5544fa3fe • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24737 – Comments - wpDiscuz <= 7.3.0 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24737
13 Sep 2021 — The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Comments - wpDiscuz de WordPress versiones hasta 7.3.0, no sanea o escapa adecuadamente de los mensajes Follow y Unfollow antes de mostrarlos en la página, que podría permitir a usuarios con altos pr... • https://wpscan.com/vulnerability/f51a350c-c46d-4d52-b787-762283625d0b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 8%CPEs: 1EXPL: 1CVE-2021-24406 – wpForo Forum < 1.9.7 - Open Redirect
https://notcve.org/view.php?id=CVE-2021-24406
14 Jun 2021 — The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue after a successful login. Such issue could allow an attacker to induce a user to use a login URL redirecting to a website under their control and being a replica of the legitimate one, asking them to re-enter their credentials (which will then in the attacker hands) El plugin wpForo Forum de WordPress versiones anteriores a 1.9.7,[ no comprueba el paráme... • https://wpscan.com/vulnerability/a9284931-555b-4c96-86a3-09e1040b0388 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 10.0EPSS: 93%CPEs: 1EXPL: 14CVE-2020-24186 – WordPress wpDiscuz Unauthenticated File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2020-24186
24 Aug 2020 — A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action. Se presenta una vulnerabilidad de ejecución de código remota en el plugin gVectors wpDiscuz versiones 7.0 hasta 7.0.4 para WordPress, que permite a usuarios no autenticados cargar cualquier tipo de archivo, incluyendo archivos PHP por medio de la acción wmuUploadFiles AJAX. • https://packetstorm.news/files/id/163302 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 21%CPEs: 1EXPL: 2CVE-2020-13640 – Comments - wpDiscuz <= 5.3.5 - Blind SQL Injection via order Parameter
https://notcve.org/view.php?id=CVE-2020-13640
12 Jun 2020 — A SQL injection issue in the gVectors wpDiscuz plugin 5.3.5 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the order parameter of a wpdLoadMoreComments request. (No 7.x versions are affected.) Un problema de inyección SQL en el plugin gVectors wpDiscuz versiones 5.3.5 y anteriores para WordPress, permite a los atacantes remotos ejecutan comandos SQL arbitrarios por medio del parámetro order de una petición de wpdLoadMoreComments. (versiones 7.x no están afectadas) • https://github.com/asterite3/CVE-2020-13640 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-19112 – wpForo Forum <= 1.6.5 - Cross-Site Scripting via wpf-dw-td-value class
https://notcve.org/view.php?id=CVE-2019-19112
04 May 2020 — The wpForo plugin 1.6.5 for WordPress allows XSS involving the wpf-dw-td-value class of dashboard.php. El plugin wpForo versión 1.6.5 para WordPress, permite un ataque de tipo XSS involucrando la clase wpf-dw-td-value del archivo dashboard.php • https://twitter.com/Sh0ckFR/status/1257298443527053313 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •