CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36909 – WordPress WP Reset PRO Premium plugin <= 5.98 - Authenticated Database Reset vulnerability
https://notcve.org/view.php?id=CVE-2021-36909
Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows any authenticated user to wipe the entire database regardless of their authorization. It leads to a complete website reset and takeover. Una vulnerabilidad de restablecimiento de la base de datos autenticada en el plugin WP Reset PRO Premium de WordPress (versiones anteriores a 5.98 incluyéndola) permite a cualquier usuario autenticado borrar toda la base de datos independientemente de su autorización. Conlleva a un restablecimiento completo del sitio web y a la toma de posesión. • https://patchstack.com/database/vulnerability/wp-reset/wordpress-wp-reset-pro-premium-plugin-5-98-authenticated-database-reset-vulnerability https://patchstack.com/wp-reset-pro-critical-vulnerability-fixed https://wpreset.com/changelog • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24533 – Maintenance < 4.03 - Authenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-24533
The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend El plugin de WordPress Maintenance versiones anteriores a 4.03, no sanea o escapa de algunas de sus configuraciones, permitiendo a usuarios con altos privilegios, como los administradores, ver en ellas cargas útiles de tipo Cross-Site Scripting (incluso cuando la capacidad unfiltered_html está deshabilitada), que serán desencadenadas en el frontend. • https://wpscan.com/vulnerability/174b2119-b806-4da4-a23d-c19b552c86cb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24424 – WP Reset < 1.90 - Authenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-24424
The WP Reset – Most Advanced WordPress Reset Tool WordPress plugin before 1.90 did not sanitise or escape its extra_data parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue El plugin de WordPress WP Reset - Most Advanced WordPress Reset Tool versiones anteriores a 1.90, no saneaba o escapaba de su parámetro extra_data cuando se crea una instantánea por medio del panel de administración, conllevando a un problema de tipo Cross-Site Scripting Almacenado autenticado • https://m0ze.ru/vulnerability/%5B2021-05-26%5D-%5BWordPress%5D-%5BCWE-79%5D-WP-Reset-WordPress-Plugin-v1.86.txt https://wpscan.com/vulnerability/90cf8f9d-4d37-405d-b161-239bdb281828 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24142 – 301 Redirects - Easy Redirect Manager < 2.51 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24142
Unvaludated input in the 301 Redirects - Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections. Una entrada no valorada en el plugin de WordPress 301 Redirects - Easy Redirect Manager, versiones anteriores a 2.51, no saneaba su columna "Redirect From" cuando se importa un archivo CSV, permitiendo a usuarios muy privilegiado llevar a cabo inyecciones SQL • https://wpscan.com/vulnerability/19800898-d7b6-4edd-887b-dac3c0597f14 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 2CVE-2020-7048 – WP Database Reset <= 3.1 - Unauthenticated Database Reset
https://notcve.org/view.php?id=CVE-2020-7048
The WordPress plugin, WP Database Reset through 3.1, contains a flaw that allowed any unauthenticated user to reset any table in the database to the initial WordPress set-up state (deleting all site content stored in that table), as demonstrated by a wp-admin/admin-post.php?db-reset-tables[]=comments URI. El plugin de WordPress, WP Database Reset versiones hasta 3.1, contiene un fallo que permitió a cualquier usuario no autenticado restablecer cualquier tabla de la base de datos al estado inicial de configuración de WordPress (eliminando todo el contenido del sitio almacenado en esta tabla), como es demostrado por un URI wp-admin/admin-post.php?db-reset-tables[]=comments. • https://github.com/ElmouradiAmine/CVE-2020-7048 https://wordpress.org/plugins/wordpress-database-reset/#developers https://wpvulndb.com/vulnerabilities/10027 https://www.wordfence.com/blog/2020/01/easily-exploitable-vulnerabilities-patched-in-wp-database-reset-plugin • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •