CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1086 – Preview Link Generator < 1.0.4 - Arbitrary Plugin Activation via CSRF
https://notcve.org/view.php?id=CVE-2023-1086
28 Feb 2023 — The Preview Link Generator WordPress plugin before 1.0.4 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack The Preview Link Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the plugin_activation function. This makes it possible for unauthenticated attackers to activate a... • https://wpscan.com/vulnerability/e2bda716-76dc-4a26-b26a-7a2a764757b0 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1087 – WC Sales Notification < 1.2.3 - Arbitrary Plugin Activation via CSRF
https://notcve.org/view.php?id=CVE-2023-1087
28 Feb 2023 — The WC Sales Notification WordPress plugin before 1.2.3 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack The WC Sales Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the plugin_activation function. This makes it possible for unauthenticated attackers to activate arb... • https://wpscan.com/vulnerability/356c89a1-81b6-4600-9291-1a74788af7f9 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1088 – WP Plugin Manager < 1.1.8 - Arbitrary Plugin Activation via CSRF
https://notcve.org/view.php?id=CVE-2023-1088
28 Feb 2023 — The WP Plugin Manager WordPress plugin before 1.1.8 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack The WP Plugin Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.7. This is due to missing or incorrect nonce validation on the plugin_activation function. This makes it possible for unauthenticated attackers to activate installed p... • https://wpscan.com/vulnerability/a956f1cd-fce4-4235-b1af-4b7675a60ca2 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0500 – WP Film Studio < 1.3.5 - Arbitrary Plugin Activation via CSRF
https://notcve.org/view.php?id=CVE-2023-0500
28 Feb 2023 — The WP Film Studio WordPress plugin before 1.3.5 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack The WP Film Studio plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.4. This is due to missing or incorrect nonce validation on the 'plugin_activation' function. This makes it possible for unauthenticated attackers to activate arbitrary plugi... • https://wpscan.com/vulnerability/95a6a11e-da5d-4fac-aff6-a3f7624682b7 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0501 – WP Insurance < 2.1.4 - Arbitrary Plugin Activation via CSRF
https://notcve.org/view.php?id=CVE-2023-0501
28 Feb 2023 — The WP Insurance WordPress plugin before 2.1.4 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack The WP Insurance – WordPress Insurance Service Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on the 'plugin_activation' function. This makes it possible for unauthenticated atta... • https://wpscan.com/vulnerability/36fd6c0d-3f0c-4f7d-aa17-5b2d084ab94c • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0502 – WP News <= 1.1.9 - Arbitrary Plugin Activation via CSRF
https://notcve.org/view.php?id=CVE-2023-0502
28 Feb 2023 — The WP News WordPress plugin through 1.1.9 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack The WP News plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'plugin_activation' function. This makes it possible for unauthenticated attackers to activate arbitrary plugins already in... • https://wpscan.com/vulnerability/c959f4ce-b6ea-4aee-9a98-aa98d2a62138 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1089 – Coupon Zen < 1.0.6 - Arbitrary Plugin Activation via CSRF
https://notcve.org/view.php?id=CVE-2023-1089
23 Feb 2023 — The Coupon Zen WordPress plugin before 1.0.6 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack The Coupon Zen plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on the plugin_activation function. This makes it possible for unauthenticated attackers to activate a recommended plugin via ... • https://wpscan.com/vulnerability/9787e26f-33fe-4c65-abb3-7f5c76ae8d6f • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46798 – WordPress WooLentor Plugin <= 2.5.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-46798
06 Feb 2023 — Cross-Site Request Forgery (CSRF) vulnerability in HasThemes ShopLentor plugin <= 2.5.1 leading to plugin settings change. The ShopLentor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.1. This is due to missing or incorrect nonce validation on the 'templates_ajax_request' function. This makes it possible for unauthenticated attackers to update post metadata such as titles and id numbers via a forged request granted they can trick a site administrator i... • https://patchstack.com/database/vulnerability/woolentor-addons/wordpress-woolentor-plugin-2-5-1-csrf-leading-to-plugin-settings-change-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0232 – ShopLentor < 2.5.4 - PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-0232
28 Jan 2023 — The ShopLentor WordPress plugin before 2.5.4 unserializes user input from cookies in order to track viewed products and user data, which could lead to PHP Object Injection. The WooLentor plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.5.3 via deserialization of untrusted input in the function woolentor_set_views_count, which unserializes a user-provided cookie. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerab... • https://plugins.trac.wordpress.org/changeset/2852711/woolentor-addons/trunk/includes/helper-function.php • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0231 – ShopLentor < 2.5.4 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0231
28 Jan 2023 — The ShopLentor WordPress plugin before 2.5.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The WooLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 2.5.3 due to insufficient input sanitization and output escaping on user supplied attribute... • https://wpscan.com/vulnerability/533c19d5-219c-4389-a8bf-8b3a35b33b20 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •