CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-11591 – Contact Form by WD <= 1.13.4 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-11591
The WebDorado Contact Form plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized. El plugin Contact Form de WebDorado anterior a la versión 1.13.5 para WordPress, permite CSRF por medio del parámetro action en el archivo wp-admin/admin-ajax. php, con la inclusión de archivos locales al recorrido del directorio, porque puede haber una discrepancia entre el valor $_POST['action'] y el valor $_GET['action'], y este último no está saneado. • http://seclists.org/fulldisclosure/2019/Apr/37 https://lists.openwall.net/full-disclosure/2019/04/05/12 https://wordpress.org/plugins/contact-form-maker/#developers https://wpvulndb.com/vulnerabilities/9252 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-352: Cross-Site Request Forgery (CSRF) CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16164 – EventCalendar <= 1.1.21 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-16164
Cross-site scripting vulnerability in Event Calendar WD version 1.1.21 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-Site Scripting (XSS) en Event Calendar WD, en versiones 1.1.21 y anteriores, permite que los atacantes remotos autenticados inyecten scripts web o HTML arbitrarios utilizando vectores no especificados. • https://jvn.jp/en/jp/JVN75738023/index.html https://plugins.trac.wordpress.org/changeset/1961423 https://wordpress.org/plugins/event-calendar-wd/#developers https://wpvulndb.com/vulnerabilities/9199 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10504 – Form Maker by 10Web <= 1.12.21 - CSV Injection
https://notcve.org/view.php?id=CVE-2018-10504
The WebDorado "Form Maker by WD" plugin before 1.12.24 for WordPress allows CSV injection. El plugin Form Maker by WD de WebDorado, en versiones anteriores a la 1.12.24 para WordPress, permite la inyección CSV. The WebDorado "Form Maker by WD" plugin before 1.12.22 for WordPress allows CSV injection. WordPress Form Maker plugin version 1.12.20 suffers from a CSV injection vulnerability. • https://www.exploit-db.com/exploits/44559 https://wordpress.org/plugins/form-maker/#developers • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-10301 – WD Instagram Feed Premium <= 1.3.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-10301
Cross-site scripting (XSS) vulnerability in the Web-Dorado Instagram Feed WD plugin before 1.3.1 Premium for WordPress allows remote attackers to inject arbitrary web script or HTML by passing payloads in a comment on an Instagram post. Una vulnerabilidad de Cross-Site Scripting (XSS) en el plugin Web-Dorado Instagram Feed WD en versiones anteriores a la 1.3.1 Premium para WordPress permite que los atacantes remotos inyecten scripts web o HTML arbitrarios pasando cargas útiles en un comentario en una publicación de Instagram. WordPress WD Instagram Feed version 1.3.0 suffers from multiple cross site scripting vulnerabilities. • https://medium.com/%40squeal/wd-instagram-feed-1-3-0-xss-vulnerabilities-cve-2018-10300-and-cve-2018-10301-7173ffc4c271 https://wpvulndb.com/vulnerabilities/9393 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-10300 – WD Instagram Feed <= 1.3.0 - Cross-site scripting
https://notcve.org/view.php?id=CVE-2018-10300
Cross-site scripting (XSS) vulnerability in the Web-Dorado Instagram Feed WD plugin before 1.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML by passing payloads in an Instagram profile's bio. Una vulnerabilidad de Cross-Site Scripting (XSS) en el plugin Web-Dorado Instagram Feed WD en versiones anteriores a la 1.3.1 para WordPress permite que los atacantes remotos inyecten scripts web o HTML arbitrarios pasando cargas útiles en una biografía de perfil de Instagram. WordPress WD Instagram Feed version 1.3.0 suffers from multiple cross site scripting vulnerabilities. • https://medium.com/%40squeal/wd-instagram-feed-1-3-0-xss-vulnerabilities-cve-2018-10300-and-cve-2018-10301-7173ffc4c271 https://wpvulndb.com/vulnerabilities/9393 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •