CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23649 – WordPress MainWP Links Manager Extension Plugin <= 2.1 - Unauthenticated PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2023-23649
Deserialization of Untrusted Data vulnerability in MainWP MainWP Links Manager Extension.This issue affects MainWP Links Manager Extension: from n/a through 2.1. Vulnerabilidad de deserialización de datos no confiables en MainWP MainWP Links Manager Extension. Este problema afecta a MainWP Links Manager Extension: desde n/a hasta 2.1. The MainWP Links Manager Extension plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.1 via deserialization of untrusted input. This allows unauthenticated attackers to inject a PHP Object. • https://patchstack.com/database/vulnerability/mainwp-links-manager-extension/wordpress-mainwp-links-manager-extension-plugin-2-1-unauthenticated-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3135 – SEO Smart Links <= 3.0.1 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-3135
The SEO Smart Links WordPress plugin through 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El plugin SEO Smart Links de WordPress versiones hasta 3.0.1, no sanea y escapa de algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en una configuración multisitio) The SEO Smart Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/3505481d-141a-4516-bdbb-d4dad4e1eb01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1759 – RB Internal Links <= 2.0.16 - Stored Cross-Site Scripting via CSRF
https://notcve.org/view.php?id=CVE-2022-1759
The RB Internal Links WordPress plugin through 2.0.16 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, as well as perform Stored Cross-Site Scripting attacks due to the lack of sanitisation and escaping El plugin RB Internal Links de WordPress versiones hasta 2.0.16, no presenta comprobación de tipo CSRF cuando es actualizada su configuración, lo que podría permitir a atacantes hacer que un administrador conectado los cambie por medio de un ataque de tipo CSRF, así como llevar a cabo ataques de tipo Cross-Site Scripting Almacenado debido a una falta de saneo y escape • https://wpscan.com/vulnerability/d8e63f78-f38a-4f68-96ba-8059d175cea8 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-15863 – WP No External Links < 3.5.19 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-15863
Cross Site Scripting (XSS) exists in the wp-noexternallinks plugin before 3.5.19 for WordPress via the date1 or date2 parameter to wp-admin/options-general.php. Existe Cross Site Scripting (XSS) en el plugin wp-noexternallinks en versiones anteriores a la 3.5.19 para WordPress mediante el parámetro date1 o date 2 en wp-admin/options-general.php. • http://lists.openwall.net/full-disclosure/2017/06/02/3 https://wordpress.org/plugins/wp-noexternallinks/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4833 – Nofollow Links <= 1.0.10 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-4833
Cross-site scripting (XSS) vulnerability in the Nofollow Links plugin before 1.0.11 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en el plugin Nofollow Links en versiones anteriores a 1.0.11 para WordPress permite a atacantes remotos inyectar secuencia de comandos web o HTML arbitrarios a través de vectores no especificados. • http://jvn.jp/en/jp/JVN13582657/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2016-000125 http://www.securityfocus.com/bid/92077 https://wordpress.org/plugins/nofollow-links/changelog https://wpvulndb.com/vulnerabilities/8580 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •