CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2377 – Directorist < 7.3.0 - Subscriber+ Arbitrary E-mail Sending
https://notcve.org/view.php?id=CVE-2022-2377
26 Jul 2022 — The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog El plugin Directorist de WordPress versiones anteriores a 7.3.0, carece de comprobaciones de autorización y de tipo CSRF en una acción AJAX, lo que permite a cualquier usuario autenticado enviar correos electrónicos arbitrarios en nombre del blog The Directorist – WordPress Business Directory Plugin with Classified Ads Li... • https://wpscan.com/vulnerability/f4e606e9-0664-42fb-a59b-21de306eb530 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34650 – WordPress Team plugin <= 1.2.6 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-34650
20 Jul 2022 — Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in wpWax Team plugin <= 1.2.6 at WordPress. Múltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) Autenticado (rol de colaborador o usuario superior) Almacenado en el plugin wpWax Team versiones anteriores a 1.2.6 incluyéndola, en WordPress The Team plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 1.2.6 due to insuffici... • https://patchstack.com/database/vulnerability/adl-team/wordpress-team-plugin-1-2-6-multiple-stored-cross-site-scripting-xss-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34853 – WordPress Team plugin <= 1.2.6 - Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-34853
20 Jul 2022 — Multiple Authenticated (contributor or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in wpWax Team plugin <= 1.2.6 at WordPress. Múltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) Persistentes Autenticado (rol de colaborador o superior) en el plugin wpWax Team versiones anteriores a 1.2.6 incluyéndola, en WordPress The Team plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 1.2.6 due to insufficien... • https://patchstack.com/database/vulnerability/adl-team/wordpress-team-plugin-1-2-6-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2046 – Directorist - Business Directory Plugin < 7.2.3 - Admin+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-2046
18 Jul 2022 — The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite configurations. El plugin Directorist de WordPress versiones anteriores a 7.2.3, permite a administradores descargar otros plugins del mismo proveedor directamente en el sitio, pero no comprueba el dominio de la URL de la ... • https://plugins.trac.wordpress.org/changeset/2752034/directorist?contextall=1&old=2731298&old_path=%2Fdirectorist • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1266 – Post Grid, Slider & Carousel Ultimate < 1.5.0 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-1266
26 May 2022 — The Post Grid, Slider & Carousel Ultimate WordPress plugin before 1.5.0 does not sanitise and escape the Header Title, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Post Grid, Slider & Carousel Ultimate de WordPress versiones anteriores a 1.5.0, no sanea ni escapa del Título del Encabezado, lo que podría permitir a usuarios muy privilegiados llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando... • https://wpscan.com/vulnerability/7800d583-fcfc-4360-9dc3-af3f73e12ab4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24981 – Directorist – Business Directory Plugin < 7.0.6.2 - CSRF to Remote File Upload
https://notcve.org/view.php?id=CVE-2021-24981
16 Nov 2021 — The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory. El plugin Directorist de WordPress versiones anteriores a 7.0.6.2, era vulnerable a un ataque de tipo Cross-Site Request Forgery a la Carga Remota de Archivos, conllevando a cargas arbitrarias del shell de PHP en el directorio wp-content/plugins • https://blog.sucuri.net/2021/11/fake-ransomware-infection-spooks-website-owners.html • CWE-352: Cross-Site Request Forgery (CSRF) CWE-434: Unrestricted Upload of File with Dangerous Type •