CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5902 – UserFeedback Lite <= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Name Parameter
https://notcve.org/view.php?id=CVE-2024-5902
The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the name parameter in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in feedback form responses that will execute whenever a high-privileged user tries to view them. El complemento User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro de nombre en todas las versiones hasta la 1.0.15 incluida debido a una sanitización de entrada y salida de escape insuficiente. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en respuestas de formularios de comentarios que se ejecutarán cada vez que un usuario con altos privilegios intente verlos. • https://plugins.trac.wordpress.org/browser/userfeedback-lite/tags/1.0.15/includes/frontend/class-userfeedback-frontend.php#L257 https://www.wordfence.com/threat-intel/vulnerabilities/id/bce9ba42-f574-47c1-9ea5-1e56f9da8e71?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6210 – Duplicator <= 1.5.9 - Full Path Disclosure
https://notcve.org/view.php?id=CVE-2024-6210
The Duplicator plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 1.5.9. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use. El complemento Duplicator para WordPress es vulnerable a la exposición de información en todas las versiones hasta la 1.5.9 incluida. Esto hace posible que los atacantes no autenticados obtengan la ruta completa a las instancias, que pueden utilizar en combinación con otras vulnerabilidades o para simplificar el trabajo de reconocimiento. • https://plugins.trac.wordpress.org/browser/duplicator/trunk/installer/dup-installer/main.installer.php#L51 https://plugins.trac.wordpress.org/changeset/3108563/duplicator/trunk/installer/dup-installer/main.installer.php?old=3073248&old_path=duplicator%2Ftrunk%2Finstaller%2Fdup-installer%2Fmain.installer.php https://www.wordfence.com/threat-intel/vulnerabilities/id/d47d582d-7c90-4f49-aee1-03a8775b850d?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6256 – Feeds for YouTube (YouTube video, channel, and gallery plugin) <= 2.2.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-6256
The Feeds for YouTube (YouTube video, channel, and gallery plugin) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'youtube-feed' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Feeds for YouTube (YouTube video, channel, and gallery plugin) para WordPress es vulnerable a Cross Site Scripting almacenado a través del código corto 'youtube-feed' del complemento en todas las versiones hasta la 2.2.1 incluida debido a una sanitización de entrada y escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/feeds-for-youtube/trunk/js/sb-youtube.js https://plugins.trac.wordpress.org/changeset/3107577 https://www.wordfence.com/threat-intel/vulnerabilities/id/228fab65-e5c2-41d1-ad41-fac4862894f2?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3649 – Contact Form by WPForms – Drag & Drop Form Builder for WordPress <= 1.8.7.2 - Unauthenticated Price Manipulation
https://notcve.org/view.php?id=CVE-2024-3649
The Contact Form by WPForms – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated attackers to manipulate prices, product information, and quantities for purchases made via the Stripe payment integration. El complemento Contact Form by WPForms – Drag & Drop Form Builder para WordPress es vulnerable a la manipulación de precios en versiones hasta la 1.8.7.2 incluida. Esto se debe a la falta de controles sobre varios parámetros del producto. • https://plugins.trac.wordpress.org/changeset/3075634 https://plugins.trac.wordpress.org/changeset/3075634/wpforms-lite/trunk/assets/js/integrations/stripe/wpforms-stripe-payment-element.js https://www.wordfence.com/threat-intel/vulnerabilities/id/68a509ae-9943-4b9a-8ede-2b5732e96e6d?source=cve • CWE-472: External Control of Assumed-Immutable Web Parameter •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3554 – All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic <= 4.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2024-3554
The All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de los códigos cortos del complemento en todas las versiones hasta la 4.6.0 incluida debido a una sanitización de entrada insuficiente y salida que se escapa en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3073370%40all-in-one-seo-pack%2Ftrunk&old=3064696%40all-in-one-seo-pack%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/28741ffc-4ff5-4e67-a183-bb5064b6752e?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •