CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46146 – WordPress Themify Ultra theme <= 7.3.5 - Multiple Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-46146
Missing Authorization vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5. Vulnerabilidad de autorización faltante en Themify Themify Ultra. Este problema afecta a Themify Ultra: desde n/a hasta 7.3.5. The Themify Ultra theme for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on one of its functions in versions up to, and including, 7.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to make use of this functionality. • https://patchstack.com/database/vulnerability/themify-ultra/wordpress-themify-ultra-theme-7-3-3-multiple-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46148 – WordPress Themify Ultra theme <= 7.3.5 - Authenticated Arbitrary Settings Change vulnerability
https://notcve.org/view.php?id=CVE-2023-46148
Missing Authorization vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5. Vulnerabilidad de autorización faltante en Themify Themify Ultra. Este problema afecta a Themify Ultra: desde n/a hasta 7.3.5. The themify-ultra theme for WordPress is vulnerable to unauthorized access, modification or loss of data due to a missing capability check on an unknown function in all versions up to, and including, 7.3.5. This makes it possible for authenticated attackers with subscriber access or higher to utilize this functionality intended for higher privileged users. • https://patchstack.com/database/vulnerability/themify-ultra/wordpress-themify-ultra-theme-7-3-3-authenticated-arbitrary-settings-change-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2654 – Conditional Menus < 1.2.1 - Reflected XSS
https://notcve.org/view.php?id=CVE-2023-2654
The Conditional Menus WordPress plugin before 1.2.1 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin The Conditional Menus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'current_page' and 'num_of_pages ' parameters in versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/506ecee9-8e42-46de-9c5c-fc252ab2646e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32970 – WordPress Themify Portfolio Post Plugin <= 1.2.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-32970
Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Themify Themify Portfolio Post plugin <= 1.2.4 versions. The Themify Portfolio Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/themify-portfolio-post/wordpress-themify-portfolio-post-plugin-1-2-2-auth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0362 – Themify Portfolio Post < 1.2.2 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0362
Themify Portfolio Post WordPress plugin before 1.2.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Themify Portfolio Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page • https://wpscan.com/vulnerability/95ee3257-cfda-480d-b3f7-28235564cf6d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •