CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3962 – Product Addons & Fields for WooCommerce <= 32.0.18 - Unauthenticated Arbitrary File Upload via ppom_upload_file
https://notcve.org/view.php?id=CVE-2024-3962
The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ppom_upload_file function in all versions up to, and including, 32.0.18. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires the PPOM Pro plugin to be installed along with a WooCommerce product that contains a file upload field to retrieve the correct nonce. El complemento Product Addons & Fields for WooCommerce para WordPress es vulnerable a cargas de archivos arbitrarias debido a la falta de validación del tipo de archivo en la función ppom_upload_file en todas las versiones hasta la 32.0.18 incluida. Esto hace posible que atacantes no autenticados carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecución remota de código. • https://plugins.trac.wordpress.org/changeset/3075669/woocommerce-product-addon https://themeisle.com/plugins/ppom-pro https://www.wordfence.com/threat-intel/vulnerabilities/id/4f95bcc3-354e-4016-9a17-945569b076b6?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6805 – RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.4.7 - Authenticated(Contributor+) Blind Server-Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-6805
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 4.4.7 via the fetch_feed functionality. This makes it possible for authenticated attackers, with contributor access and above, to make web requests to arbitrary locations originating from the web application and can be used to modify information from internal services. NOTE: This vulnerability, exploitable by contributor-level users, was was fixed in version 4.4.7. The same vulnerability was fixed for author-level users in version 4.4.8. El complemento RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator para WordPress es vulnerable a Blind Server-Side Request Forgery en todas las versiones hasta la 4.4.7 incluida a través de la funcionalidad fetch_feed. • https://plugins.trac.wordpress.org/changeset/3070624/feedzy-rss-feeds https://www.wordfence.com/threat-intel/vulnerabilities/id/46978e1d-7adb-49f6-8e41-093f177c9a4d?source=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3725 – Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'titleTag'
https://notcve.org/view.php?id=CVE-2024-3725
The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Grid widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes such as 'titleTag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE para WordPress son vulnerables a Cross-Site Scripting Almacenado a través del widget Post Grid del complemento en todas las versiones hasta la 2.6.9 incluida debido a una sanitización de entrada insuficiente y a un escape de salida en atributos proporcionados por el usuario como 'titleTag'. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset/3071504/otter-blocks/trunk/inc/render/class-posts-grid-block.php https://www.wordfence.com/threat-intel/vulnerabilities/id/ceb041f6-b88a-495a-8f5f-7f39f640748d?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3343 – Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 2.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes
https://notcve.org/view.php?id=CVE-2024-3343
The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Otter Blocks – Gutenberg Blocks, Page Builder para Gutenberg Editor y el complemento FSE para WordPress son vulnerables a Cross-Site Scripting a través de los atributos de bloque del complemento en todas las versiones hasta la 2.6.8 incluida debido a una sanitización de entrada y un escape de salida insuficientes en los atributos proporcionados por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://github.com/julio-cfa/CVE-2024-33438 https://plugins.trac.wordpress.org/changeset/3068495/otter-blocks https://www.wordfence.com/threat-intel/vulnerabilities/id/67981160-6c91-48a4-ba1c-68204d538ed6?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3344 – Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 2.6.8 - Authenticated (Author+) Limited File Upload to Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-3344
The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Otter Blocks – Gutenberg Blocks, Page Builder para Gutenberg Editor y el complemento FSE para WordPress son vulnerables a Cross-Site Scripting a través de la carga de archivos SVG en todas las versiones hasta la 2.6.8 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso a nivel de autor y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset/3068495/otter-blocks https://www.wordfence.com/threat-intel/vulnerabilities/id/db836f4b-d31f-4442-89a5-1a400525c598?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •