CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4283 – EmbedPress <= 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2023-4283
09 Aug 2023 — The EmbedPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedpress_calendar' shortcode in versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/embedpress/tags/3.8.2/EmbedPress/ThirdParty/Googlecalendar/Embedpress_Google_Helper.php#L522 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3779 – Essential Addons For Elementor <=5.8.1 - Unauthenticated MailChimp API Key Disclosure
https://notcve.org/view.php?id=CVE-2023-3779
19 Jul 2023 — The Essential Addons For Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 5.8.1 due to the plugin adding the API key to the source code of any page running the MailChimp block. This makes it possible for unauthenticated attackers to obtain a site's MailChimp API key. We recommend resetting any MailChimp API keys if running a vulnerable version of this plugin with the MailChimp block enabled as the API key may have been compromised. This onl... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2938177%40essential-addons-for-elementor-lite&new=2938177%40essential-addons-for-elementor-lite&sfp_email=&sfph_mail= • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3371 – EmbedPress <= 3.7.3 - Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2023-3371
26 Jun 2023 — The User Registration plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'lock_content_form_handler' and 'display_password_form' function in versions up to, and including, 3.7.3. This makes it possible for unauthenticated attackers to decrypt and view the password protected content. El plugin User Registration para WordPress es vulnerable a la exposición de información confidencial debido a la clave de cifrado embebida en las funciones "lock_content_f... • https://plugins.trac.wordpress.org/browser/embedpress/tags/3.7.3/EmbedPress/Includes/Classes/Helper.php#L231 • CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 4CVE-2023-2833 – ReviewX <= 1.6.13 - Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-2833
31 May 2023 — The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the 'rx_set_screen_options' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_screen_options[option]' and 'wp_screen_options[value]' parameters during a screen option update. WordPress ReviewX plugin versions 1.6.13 and below suffer from a privilege escalatio... • https://github.com/Alucard0x1/CVE-2023-2833 • CWE-269: Improper Privilege Management •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32241 – WordPress Essential Addons for Elementor Pro Plugin <= 5.4.8 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-32241
15 May 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPDeveloper Essential Addons for Elementor Pro plugin <= 5.4.8 versions. The Essential Addons for Elementor Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an actio... • https://patchstack.com/database/vulnerability/essential-addons-elementor/wordpress-essential-addons-for-elementor-pro-plugin-5-4-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32245 – WordPress Essential Addons for Elementor Pro Plugin <= 5.4.8 is vulnerable to Server Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-32245
15 May 2023 — Cross-Site Request Forgery (CSRF) vulnerability in WPDeveloper Essential Addons for Elementor Pro.This issue affects Essential Addons for Elementor Pro: from n/a through 5.4.8. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en WPDeveloper Essential Addons para Elementor Pro. Este problema afecta a Essential Addons para Elementor Pro: desde n/a hasta 5.4.8. The Essential Addons for Elementor Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 5.4.8. Th... • https://patchstack.com/database/vulnerability/essential-addons-elementor/wordpress-essential-addons-for-elementor-pro-plugin-5-4-8-unauthenticated-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 63%CPEs: 1EXPL: 9CVE-2023-32243 – WordPress Essential Addons for Elementor Plugin 5.4.0-5.7.1 is vulnerable to Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-32243
11 May 2023 — Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1. The Essential Addons for Elementor plugin for WordPress is vulnerable to Unauthenticated Arbitrary Password Resets to Privilege Escalation in versions up to, and including, 5.7.1. This is due to a lack of validation of a password reset key in the reset_password function. This makes it possible for unauthenticated attacke... • https://github.com/gbrsh/CVE-2023-32243 • CWE-287: Improper Authentication CWE-620: Unverified Password Change •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2083 – Essential Blocks <= 4.0.6 - Missing Authorization via save
https://notcve.org/view.php?id=CVE-2023-2083
18 Apr 2023 — The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the save function in versions up to, and including, 4.0.6. This makes it possible for subscriber-level attackers to save plugin settings. While a nonce check is present, it is only executed when a nonce is provided. Not providing a nonce results in the nonce verification to be skipped. There is no capability check. • https://plugins.trac.wordpress.org/browser/essential-blocks/tags/4.0.6/includes/Admin/Admin.php • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2084 – Essential Blocks <= 4.0.6 - Missing Authorization via get
https://notcve.org/view.php?id=CVE-2023-2084
18 Apr 2023 — The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the get function in versions up to, and including, 4.0.6. This makes it possible for subscriber-level attackers to obtain plugin settings. While a nonce check is present, it is only executed when a nonce is provided. Not providing a nonce results in the nonce verification to be skipped. There is no capability check. • https://plugins.trac.wordpress.org/browser/essential-blocks/tags/4.0.6/includes/Admin/Admin.php • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2085 – Essential Blocks <= 4.0.6 - Missing Authorization via templates
https://notcve.org/view.php?id=CVE-2023-2085
18 Apr 2023 — The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the templates function in versions up to, and including, 4.0.6. This makes it possible for subscriber-level attackers to obtain plugin template information. While a nonce check is present, it is only executed when a nonce is provided. Not providing a nonce results in the nonce verification to be skipped. There is no capability check. • https://plugins.trac.wordpress.org/browser/essential-blocks/tags/4.0.6/includes/Admin/Admin.php • CWE-862: Missing Authorization •