CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5577 – Where I Was, Where I Will Be <= 1.1.1 - Unauthenticated Remote File Inclusion
https://notcve.org/view.php?id=CVE-2024-5577
13 Jun 2024 — The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1 via the WIW_HEADER parameter of the /system/include/include_user.php file. ... El complemento Where I Was, Where I Will Be para WordPress es vulnerable a la inclusión remota de archivos en la versión <= 1.1.1 a través del parámetro WIW_HEADER del archivo /system/include/include_user.php. • https://plugins.trac.wordpress.org/browser/where-i-was-where-i-will-be/trunk/system/include/include_user.php • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4371 – CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More <= 4.4.1 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-4371
12 Jun 2024 — The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.1 via deserialization of untrusted input from the recently_viewed_products cookie. ... El complemento CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More para WordPress es vulnerable a la inyección de objetos PHP en todas las versiones hasta la 4.4.... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3099922%40woolementor&new=3099922%40woolementor&sfp_email=&sfph_mail= • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2376 – WPQA < 6.1.1 - Arbitrary Category and Tag Follow/Unfollow via CSRF
https://notcve.org/view.php?id=CVE-2024-2376
12 Jun 2024 — The WPQA Builder WordPress plugin before 6.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks El complemento WPQA Builder WordPress anterior a 6.1.1 no tiene comprobaciones CSRF en algunos lugares, lo que podría permitir a los atacantes hacer que los usuarios que han iniciado sesión realicen acciones no deseadas a través de ataques CSRF. The WPQA Builder plugin for WordPress is vulnerable to Cross-S... • https://wpscan.com/vulnerability/bdd2e323-d589-4050-bc27-5edd2507a818 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2024-4898 – InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation
https://notcve.org/view.php?id=CVE-2024-4898
11 Jun 2024 — The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. ... El complemento InstaWP Connect – 1-click WP Staging & Migration para WordPress es vulnerable a actualizaciones de opciones arbitrarias debido a la falta de controles de autorización en las llamadas a la API REST en todas las versiones hasta la 0.1.0.38 incluida. • https://github.com/truonghuuphuc/CVE-2024-4898-Poc • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52233 – WordPress POST SMTP Mailer plugin <= 2.8.6 - Broken Access Control on API vulnerability
https://notcve.org/view.php?id=CVE-2023-52233
11 Jun 2024 — Missing Authorization vulnerability in Post SMTP Post SMTP Mailer/Email Log.This issue affects Post SMTP Mailer/Email Log: from n/a through 2.8.6. Vulnerabilidad de autorización faltante en Post SMTP Post SMTP Mailer/Email Log. Este problema afecta a Post SMTP Mailer/Email Log: desde n/a hasta 2.8.6. • https://patchstack.com/database/vulnerability/post-smtp/wordpress-post-smtp-mailer-plugin-2-8-6-broken-access-control-on-api-vulnerability? • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-5767 – Sitetweet <= 0.2 - Stored XSS via CSRF
https://notcve.org/view.php?id=CVE-2024-5767
11 Jun 2024 — The sitetweet WordPress plugin through 0.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack El complemento sitetweet de WordPress hasta la versión 0.2 no tiene control CSRF en algunos lugares y le falta sanitización y escape, lo que podría permitir a los atacantes hacer que el administrador que haya iniciado sesión agregue payloads XSS almacenado a través de un... • https://wpscan.com/vulnerability/e4ba26b4-5f4f-4c9e-aa37-885b30ef8088 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3922 – Dokan Pro <= 3.10.3 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2024-3922
11 Jun 2024 — The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. ... El complemento Dokan Pro para WordPress es vulnerable a la inyección SQL a través del parámetro 'código' en todas las versiones hasta la 3.10.3 incluida debido a un escape insuficiente en el parámetro proporcionado por el usuario y a la... • https://dokan.co/docs/wordpress/changelog • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-5424 – WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection
https://notcve.org/view.php?id=CVE-2023-5424
06 Jun 2024 — The WS Form LITE plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.217. ... El complemento WS Form LITE para WordPress es vulnerable a la inyección CSV en versiones hasta la 1.9.217 incluida. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3098265%40ws-form&new=3098265%40ws-form&sfp_email=&sfph_mail= • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35689 – WordPress Analytify plugin <= 5.2.3 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-35689
06 Jun 2024 — The Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.3. • https://patchstack.com/database/vulnerability/wp-analytify/wordpress-analytify-plugin-5-2-3-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35735 – WordPress WP Time Slots Booking Form plugin <= 1.2.11 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-35735
06 Jun 2024 — The WP Time Slots Booking Form plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the data_management() function in versions up to, and including, 1.2.11. • https://patchstack.com/database/vulnerability/wp-time-slots-booking-form/wordpress-wp-time-slots-booking-form-plugin-1-2-11-broken-access-control-vulnerability? • CWE-862: Missing Authorization •