CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6632 – Happy Addons for Elementor <= 3.9.1.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6632
The Happy Addons for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via DOM in all versions up to and including 3.9.1.1 (versions up to 2.9.1.1 in Happy Addons for Elementor Pro) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. El complemento Happy Addons for Elementor para WordPress es vulnerable a Cross-Site Scripting reflejado a través de DOM en todas las versiones hasta la 3.9.1.1 incluida (versiones hasta la 2.9.1.1 en Happy Addons para Elementor Pro) debido a una samotozación de entrada insuficiente y un escape de salida . Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutan si logran engañar a un usuario para que realice una acción como hacer clic en un enlace. • https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/extensions/scroll-to-top.php#L142 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3011757%40happy-elementor-addons%2Ftrunk&old=2987938%40happy-elementor-addons%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/06ef69f0-34d3-4389-8a81-a4d9922f1468?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51676 – WordPress Happy Addons for Elementor Plugin <= 3.9.1.1 is vulnerable to Server Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-51676
Server-Side Request Forgery (SSRF) vulnerability in Leevio Happy Addons for Elementor.This issue affects Happy Addons for Elementor: from n/a through 3.9.1.1. Vulnerabilidad de Server-Side Request Forgery (SSRF) en Leevio Happy Addons for Elementor. Este problema afecta a Happy Addons for Elementor: desde n/a hasta 3.9.1.1. The Happy Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to 3.10.0 (exclusive). This makes it possible for authenticated attackers, with contributor access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. • https://patchstack.com/database/vulnerability/happy-elementor-addons/wordpress-happy-addons-for-elementor-plugin-3-9-1-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40003 – WP Project Manager <= 2.6.7 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-40003
The WP Project Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on an unknown function in versions up to, and including, 2.6.7. This makes it possible for unauthenticated attackers to perform an unauthorized action. • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49860 – WordPress WP Project Manager Plugin <= 2.6.7 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-49860
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weDevs WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts allows Stored XSS.This issue affects WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts: from n/a through 2.6.7. Vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Scripting entre sitios') en weDevs WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts permite almacenar XSS. Este problema afecta a WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts: desde n/a hasta 2.6.7. The WP Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/wedevs-project-manager/wordpress-wp-project-manager-plugin-2-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34383 – WordPress WP Project Manager Plugin <= 2.6.0 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-34383
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP Project Manager wedevs-project-manager allows SQL Injection.This issue affects WP Project Manager: from n/a through 2.6.0. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('Inyección SQL') en weDevs WP Project Manager wedevs-project-manager permite la inyección SQL. Este problema afecta a WP Project Manager: desde n/a hasta 2.6.0. The WP Project Manager plugin for WordPress is vulnerable to SQL Injection via the user task starting date in versions up to, and including, 2.6.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/wedevs-project-manager/wordpress-wp-project-manager-task-team-and-project-management-plugin-featuring-kanban-board-and-gantt-charts-plugin-2-6-0-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •