CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 3CVE-2023-5089 – Defender Security < 4.1.0 - Protection Bypass (Hidden Login Page)
https://notcve.org/view.php?id=CVE-2023-5089
06 Sep 2023 — The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled. El complemento Defender Security para WordPress anterior a 4.1.0 no impide las redirecciones a la página de inicio de sesión a través de la función auth_redirect de WordPress, lo que permite que un visitante no autenticado acceda a la página... • https://github.com/Cappricio-Securities/CVE-2023-5089 • CWE-693: Protection Mechanism Failure •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1009 – Smush < 3.9.9 - Admin+ Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1009
03 May 2022 — The Smush WordPress plugin before 3.9.9 does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration file El plugin Smush de WordPress versiones anteriores a 3.9.9, no sanea y escapa de un parámetro de configuración antes de devolverlo a una página de administración cuando es car... • https://wpscan.com/vulnerability/bb5af08f-bb19-46a1-a7ac-8381f428c11e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 8CVE-2021-4425 – Defender Security <= 2.4.6 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4425
01 Mar 2021 — The Defender Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.6. This is due to missing or incorrect nonce validation on the verify_otp_login_time() function. This makes it possible for unauthenticated attackers to verify a one time login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18510 – Custom Sidebars <= 3.0.9 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2017-18510
04 Oct 2017 — The custom-sidebars plugin before 3.1.0 for WordPress has CSRF related to set location, import actions, and export actions. El plugin custom-sidebars versiones anteriores a 3.1.0 para WordPress, presenta una vulnerabilidad de tipo CSRF relacionada con ubicación establecida, acciones de importación y acciones de exportación. • https://wordpress.org/plugins/custom-sidebars/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15079 – Smush – Lazy Load Images, Optimize & Compress Images <= 2.7.5 - Directory Traversal
https://notcve.org/view.php?id=CVE-2017-15079
21 Sep 2017 — The Smush Image Compression and Optimization plugin before 2.7.6 for WordPress allows directory traversal. El plugin Smush Image Compression and Optimization en versiones anteriores a la 2.7.6 para WordPress permite el salto de directorios. • https://wordpress.org/plugins/wp-smushit/#developers • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18511 – Custom Sidebars <= 3.0.8 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2017-18511
29 Jun 2017 — The custom-sidebars plugin before 3.0.8.1 for WordPress has CSRF. El plugin custom-sidebars versiones anteriores a 3.0.8.1 para WordPress, presenta una vulnerabilidad de tipo CSRF. • https://wordpress.org/plugins/custom-sidebars/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2015-10098 – Broken Link Checker Plugin ui_get_action_links cross site scripting
https://notcve.org/view.php?id=CVE-2015-10098
20 Apr 2015 — A vulnerability was found in Broken Link Checker Plugin up to 1.10.5 on WordPress. It has been rated as problematic. Affected by this issue is the function print_module_list/show_warnings_section_notice/status_text/ui_get_action_links. The manipulation leads to cross site scripting. The attack may be launched remotely. • https://github.com/wp-plugins/broken-link-checker/commit/f30638869e281461b87548e40b517738b4350e47 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •