CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5943 – Nested Pages <= 3.2.7 - Cross-Site Request Forgery to Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-5943
03 Jul 2024 — The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. ... El complemento Nested Pages para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 3.2.7 incluida. • https://plugins.trac.wordpress.org/browser/wp-nested-pages/trunk/app/Config/Settings.php#L129 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6172 – Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.25 - Unauthenticated SQL Injection via unsubscribe
https://notcve.org/view.php?id=CVE-2024-6172
01 Jul 2024 — The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for Wo... • https://wordpress.org/plugins/email-subscribers/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6244 – pz-frontend-manager < 1.0.6 - CSRF change user profile picture
https://notcve.org/view.php?id=CVE-2024-6244
01 Jul 2024 — The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks El complemento de WordPress PZ Frontend Manager anterior a 1.0.6 no tiene comprobaciones CSRF en algunos lugares, lo que podría permitir a los atacantes hacer que los usuarios que han iniciado sesión realicen acciones no deseadas a través de ataques CSRF. The PZ Frontend Manager plugin for WordPress ... • https://wpscan.com/vulnerability/73ba55a5-6cff-40fc-9686-30c50f060732 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6265 – UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress <= 1.2.10 - Unauthenticated SQL Injection via 'uwp_sort_by'
https://notcve.org/view.php?id=CVE-2024-6265
28 Jun 2024 — The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uwp_sort_by’ parameter in all versions up to, and including, 1.2.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. ... El complemento UsersWP – Front-end login form, User Registration, User Profile & Members Directory para WordPress
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 2CVE-2024-6205 – PayPlus Payment Gateway < 6.6.9 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2024-6205
28 Jun 2024 — The PayPlus Payment Gateway WordPress plugin before 6.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability. El complemento PayPlus Payment Gateway de WordPress anterior a 6.6.9 no sanitiza ni escapa adecuadamente un parámetro antes de usarlo en una declaración SQL a través de una ruta API de WooCommerce disponible para usuarios no autenticados, lo que ge... • https://github.com/j3r1ch0123/CVE-2024-6205 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6164 – Filter & Grids < 2.8.33 - Unauthenticated LFI
https://notcve.org/view.php?id=CVE-2024-6164
27 Jun 2024 — The Filter & Grids WordPress plugin before 2.8.33 is vulnerable to Local File Inclusion via the post_layout parameter. ... El complemento Filter & Grids de WordPress anterior a 2.8.33 es vulnerable a la inclusión de archivos locales a través del parámetro post_layout. ... The Filter & Grids plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.32. • https://wpscan.com/vulnerability/40bd880e-67a1-4180-b197-8dcadaa0ace4 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6075 – WP eStore < 8.5.5 - Coupon Deletion via CSRF
https://notcve.org/view.php?id=CVE-2024-6075
24 Jun 2024 — The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks El complemento wp-cart-for-digital-products de WordPress anterior a 8.5.5 no tiene comprobaciones CSRF en algunos lugares, lo que podría permitir a los atacantes hacer que los usuarios que han iniciado sesión realicen acciones no deseadas a través de ataques CSRF. The WP eStore plugin for WordPr... • https://wpscan.com/vulnerability/b0e2658a-b075-48b6-a9d9-e141194117fc • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-6297 – Several WordPress.org Plugins <= Various Versions - Injected Backdoor
https://notcve.org/view.php?id=CVE-2024-6297
24 Jun 2024 — Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. ... Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. • https://wordpress.org/support/topic/a-security-message-from-the-plugin-review-team • CWE-506: Embedded Malicious Code •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37118 – WordPress Uncanny Automator Pro plugin <= 5.3 - Cross Site Request Forgery (CSRF) Leading to License Settings Reset vulnerability
https://notcve.org/view.php?id=CVE-2024-37118
21 Jun 2024 — The Uncanny Automator Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 5.3.0.1. • https://patchstack.com/database/vulnerability/uncanny-automator-pro/wordpress-uncanny-automator-pro-plugin-5-3-cross-site-request-forgery-csrf-leading-to-license-settings-reset-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37227 – WordPress Newsletters plugin <= 4.9.7 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-37227
21 Jun 2024 — The Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.9.7. • https://patchstack.com/database/vulnerability/newsletters-lite/wordpress-newsletters-plugin-4-9-7-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •