CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37228 – WordPress InstaWP Connect plugin <= 0.1.0.38 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-37228
21 Jun 2024 — The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.1.0.38. • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37230 – WordPress Book Landing Page theme <= 1.2.3 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-37230
21 Jun 2024 — The Book Landing Page theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. • https://patchstack.com/database/vulnerability/book-landing-page/wordpress-book-landing-page-theme-1-2-3-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6022 – ContentLock <= 1.0.3 - Settings Update via CSRF
https://notcve.org/view.php?id=CVE-2024-6022
21 Jun 2024 — The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack El complemento ContentLock para WordPress hasta la versión 1.0.3 no tiene activada la verificación CSRF al actualizar su configuración, lo que podría permitir a los atacantes hacer que un administrador que haya iniciado sesión los cambie mediante un ataque CSRF. The ContentLock plugin for WordPress
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6023 – ContentLock <= 1.0.3 - Email Adding via CSRF
https://notcve.org/view.php?id=CVE-2024-6023
21 Jun 2024 — The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when adding emails, which could allow attackers to make a logged in admin perform such action via a CSRF attack El complemento ContentLock para WordPress hasta la versión 1.0.3 no tiene activada la verificación CSRF al agregar correos electrónicos, lo que podría permitir a los atacantes hacer que un administrador que haya iniciado sesión realice dicha acción a través de un ataque CSRF. The ContentLock plugin for <... • https://wpscan.com/vulnerability/6e812189-2980-453d-931d-1f785e8dbcc0 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5756 – Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.23 - Unauthenticated SQL Injection via optin
https://notcve.org/view.php?id=CVE-2024-5756
20 Jun 2024 — The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php#L532 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37089 – WordPress Consulting Elementor Widgets plugin <= 1.3.0 - Unauthenticated Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-37089
20 Jun 2024 — The Consulting Elementor Widgets plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.0. • https://patchstack.com/database/vulnerability/consulting-elementor-widgets/wordpress-consulting-elementor-widgets-plugin-1-3-0-unauthenticated-local-file-inclusion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37198 – WordPress Digital Newspaper theme <= 1.1.5 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-37198
20 Jun 2024 — The Digital Newspaper theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.5. • https://patchstack.com/database/vulnerability/digital-newspaper/wordpress-digital-newspaper-theme-1-1-5-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37212 – WordPress AliExpress Dropshipping with AliNext Lite plugin <= 3.3.5 - CSRF to PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-37212
20 Jun 2024 — The Ali2Woo Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.4. • https://patchstack.com/database/vulnerability/ali2woo-lite/wordpress-aliexpress-dropshipping-with-alinext-lite-plugin-3-3-5-csrf-to-php-object-injection-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37112 – WordPress WishList Member X plugin < 3.26.7 - Unauthenticated Arbitrary SQL Query Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-37112
20 Jun 2024 — The WishList Member X plugin for WordPress is vulnerable SQL Injection in versions up to, and including, 3.25.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-arbitrary-sql-query-execution-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3605 – WP Hotel Booking <= 2.1.0 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-3605
19 Jun 2024 — The WP Hotel Booking plugin for WordPress is vulnerable to SQL Injection via the 'room_type' parameter of the /wphb/v1/rooms/search-rooms REST API endpoint in all versions up to, and including, 2.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. ... El complemento WP Hotel Booking para WordPress es vulnerable a la inyección SQL a través del parámetro 'room_type' del endpoint de la API REST /wphb/v1/rooms/search-rooms e... • https://wordpress.org/plugins/wp-hotel-booking • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •