CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4544 – MashShare < 3.8.7 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-4544
23 Dec 2022 — The MashShare WordPress plugin before 3.8.7 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. El complemento MashShare de WordPress anterior a 3.8.7 no valida ni escapa algunos de sus atributos de código corto antes de devolverlos a la página, lo que podría permitir a los usuarios con un ... • https://wpscan.com/vulnerability/96e34d3d-627f-42f2-bfdb-c9d47dbf396c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4972 – Download Monitor <= 4.7.51 - Missing Authorization to Unauthenticated Data Export
https://notcve.org/view.php?id=CVE-2022-4972
26 Nov 2022 — The Download Monitor plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST-API routes related to reporting in versions up to, and including, 4.7.51. This makes it possible for unauthenticated attackers to view user data and other sensitive information intended for administrators. • https://www.wordfence.com/threat-intel/vulnerabilities/id/a9000c52-fdd7-43e2-ae6a-9f127c4a9fcd?source=cve • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41135 – WordPress Modula plugin <= 2.6.9 - Unauth. Plugin Settings Change vulnerability
https://notcve.org/view.php?id=CVE-2022-41135
28 Oct 2022 — Unauth. Plugin Settings Change vulnerability in Modula plugin <= 2.6.9 on WordPress. Vulnerabilidad de Plugin Settings Change no autenticada en el complemento Modula en versiones <= 2.6.9 en WordPress. The Customizable WordPress Gallery Plugin – Modula Image Gallery plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the update_troubleshooting_options function in versions up to, and including, 2.6.9. This makes it possible for unauthenticated attackers to updat... • https://patchstack.com/database/vulnerability/modula-best-grid-gallery/wordpress-modula-plugin-2-6-9-unauth-plugin-settings-change-vulnerability?_s_id=cve • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2981 – Download Monitor < 4.5.98 - Admin+ Arbitrary File Download
https://notcve.org/view.php?id=CVE-2022-2981
19 Sep 2022 — The Download Monitor WordPress plugin before 4.5.98 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup. El plugin Download Monitor de WordPress versiones anteriores a 4.5.98 no garantiza que los archivos que son descargados estén dentro de las carpetas del blog y no sean confidenciales, permitiendo a usuarios con altos privilegio... • https://wpscan.com/vulnerability/30ce32ce-161c-4388-8d22-751350b7b305 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40672 – WordPress CPO Shortcodes plugin <= 1.5.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-40672
15 Sep 2022 — Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CPO Shortcodes plugin <= 1.5.0 at WordPress. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Autenticado (admin+) Almacenado en el plugin CPO Shortcodes versiones anteriores a 1.5.0 incluyéndola en WordPress. The CPO Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticat... • https://patchstack.com/database/vulnerability/cpo-shortcodes/wordpress-cpo-shortcodes-plugin-1-5-0-authenticated-stored-cross-site-scripting-xss-vulnerability/_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-37407 – WordPress Gallery PhotoBlocks plugin <= 1.2.6 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-37407
10 Aug 2022 — Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in WPChill Gallery PhotoBlocks plugin <= 1.2.6 at WordPress. Múltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) Almacenado y Autenticado en el plugin WPChill Gallery PhotoBlocks versiones anteriores a 1.2.6 incluyéndola, en WordPress The Gallery PhotoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This... • https://patchstack.com/database/vulnerability/photoblocks-grid-gallery/wordpress-gallery-photoblocks-plugin-1-2-6-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities/_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36292 – WordPress Gallery PhotoBlocks plugin <= 1.2.6 - Cross-Site Request Forgery (CSRF) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-36292
10 Aug 2022 — Cross-Site Request Forgery (CSRF) vulnerabilities in WPChill Gallery PhotoBlocks plugin <= 1.2.6 at WordPress. Unas vulnerabilidades de tipo Cross-Site Request Forgery (CSRF) en el plugin WPChill Gallery PhotoBlocks versiones anteriores a 1.2.6 incluyéndola, en WordPress. The Gallery PhotoBlocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.8. This is due to missing nonce validation on the init() function. This makes it possible for unauthenticated at... • https://patchstack.com/database/vulnerability/photoblocks-grid-gallery/wordpress-gallery-photoblocks-plugin-1-2-6-cross-site-request-forgery-csrf-vulnerabilities • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2222 – Download Monitor < 4.5.91 - Admin+ Arbitrary File Download
https://notcve.org/view.php?id=CVE-2022-2222
27 Jun 2022 — The Download Monitor WordPress plugin before 4.5.91 does not ensure that files to be downloaded are inside the blog folders, and not sensitive, allowing high privilege users such as admin to download the wp-config.php or /etc/passwd even in an hardened environment or multisite setup. El plugin Download Monitor de WordPress versiones anteriores a 4.5.91, no asegura que los archivos a descargar estén dentro de las carpetas del blog, y no sean confidenciales, permitiendo a usuarios con altos privilegios como e... • https://wpscan.com/vulnerability/dd48624a-1781-419c-a3c4-1e3eaf5e2c1b • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1547 – Check & Log email < 1.0.6 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1547
02 May 2022 — The Check & Log Email WordPress plugin before 1.0.6 does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting El plugin Check & Log Email de WordPress versiones anteriores a 1.0.6, no sanea y escapa de un parámetro antes de devolverlo en un atributo en una página de administración, conllevando a un ataue de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/83eca346-7045-414e-81fc-e0d9b735f0bd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27852 – WordPress KB Support plugin <= 1.5.5 - Multiple Unauth. Stored Cross-Site Scripting (XSS) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-27852
15 Apr 2022 — Multiple Unauthenticated Stored Cross-Site Scripting (XSS) vulnerabilities in KB Support (WordPress plugin) <= 1.5.5 versions. Múltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) almacenadas sin autenticación en KB Support (plugin de WordPress) versiones anteriores a 1.5.5 incluyéndola The plugin KB Support – WordPress Help Desk versions up to 1.5.5 are vulnerable to Cross-Site Scripting. The vulnerabilities allow unauthenticated attackers to inject arbitrary web scripts in pages that will execute... • https://patchstack.com/database/vulnerability/kb-support/wordpress-kb-support-wordpress-help-desk-plugin-1-5-5-multiple-unauthenticated-stored-cross-site-scripting-xss-vulnerabilities?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •