CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4862 – File Manager Pro < 1.8.1 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-4862
19 Sep 2023 — The File Manager Pro WordPress plugin before 1.8.1 does not adequately validate and escape some inputs, leading to XSS by high-privilege users. El complemento File Manager Pro de WordPress anterior a 1.8.1 no valida ni escapa adecuadamente algunas entradas, lo que genera XSS por parte de usuarios con altos privilegios. The File Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8 due to insufficient input sanitization and ... • https://wpscan.com/vulnerability/81821bf5-69e1-4005-b3eb-d541490909cc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4827 – File Manager Pro < 1.8 - Remote Code Execution via CSRF
https://notcve.org/view.php?id=CVE-2023-4827
11 Sep 2023 — The File Manager Pro WordPress plugin before 1.8 does not properly check the CSRF nonce in the `fs_connector` AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell. El complemento File Manager Pro de WordPress anterior a la versión 1.8 no verifica correctamente el nonce de CSRF en la acción AJAX `fs_connector`. Esto permite a los atacantes hacer que usuarios con privilegios elevados realic... • https://wpscan.com/vulnerability/d4daf0e1-8018-448a-964c-427a355e005f • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2093 – WP Duplicate Page < 1.3 - Admin+ Stored Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-2093
20 Jun 2022 — The WP Duplicate Page WordPress plugin before 1.3 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. El plugin WP Duplicate Page de WordPress versiones anteriores a 1.3 no sanea y escapa de algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios, como los administradores, llevar a cabo ataques de Cross-Site Scripting incluso cuando unfiltered_h... • https://wpscan.com/vulnerability/a11628e4-f47b-42d8-9c09-7536d49fce4c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 9%CPEs: 1EXPL: 1CVE-2021-24385 – Filebird 4.7.3 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24385
16 Jun 2021 — The Filebird Plugin 4.7.3 introduced a SQL injection vulnerability as it is making SQL queries without escaping user input data from a HTTP post request. This is a major vulnerability as the user input is not escaped and passed directly to the get_col function and it allows SQL injection. The Rest API endpoint which invokes this function also does not have any required permissions/authentication and can be accessed by an anonymous user. El plugin Filebird versión 4.7.3, introdujo una vulnerabilidad de inyec... • https://10up.com/blog/2021/security-vulnerability-filebird-wordpress-plugin • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24142 – Video Downloader for TikTok < 1.4 - Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2020-24142
13 Apr 2021 — Server-side request forgery in the Video Downloader for TikTok (aka downloader-tiktok) plugin 1.3 for WordPress lets an attacker send crafted requests from the back-end server of a vulnerable web application via the njt-tk-download-video parameter. It can help identify open ports, local network hosts and execute command on services Una vulnerabilidad de tipo Server-side request forgery en el plugin Video Downloader para TikTok (también se conoce como downloader-tiktok) versión 1.3 para WordPress, permite a ... • https://github.com/secwx/research/blob/main/cve/CVE-2020-24142.md • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24143 – Video Downloader for TikTok < 1.4 - Directory Traversal
https://notcve.org/view.php?id=CVE-2020-24143
13 Apr 2021 — Directory traversal in the Video Downloader for TikTok (aka downloader-tiktok) plugin 1.3 for WordPress lets an attacker get access to files that are stored outside the web root folder via the njt-tk-download-video parameter. Un salto de Directorio en el plugin Video Downloader para TikTok (también se conoce como downloader-tiktok) versión 1.3 para WordPress, permite a un atacante acceder a archivos almacenados fuera de la carpeta root de la web por medio del parámetro njt-tk-download-video • https://github.com/secwx/research/blob/main/cve/CVE-2020-24143.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2020-36718 – GDPR CCPA Compliance Support <= 2.3 - PHP Object Injection
https://notcve.org/view.php?id=CVE-2020-36718
03 Nov 2020 — The GDPR CCPA Compliance Support plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.3 via deserialization of untrusted input "njt_gdpr_allow_permissions" value. This allows unauthenticated attackers to inject a PHP Object. • https://blog.nintechnet.com/gdpr-ccpa-compliance-support-plugin-fixed-insecure-deserialization-vulnerability • CWE-502: Deserialization of Untrusted Data •