CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-25378 – WP Floating Menu <= 1.4.0 - Cross-Site Scripting via id Parameter
https://notcve.org/view.php?id=CVE-2020-25378
Wordpress Plugin Store / AccessPress Themes WP Floating Menu V1.3.0 is affected by: Cross Site Scripting (XSS) via the id GET parameter. Wordpress Plugin Store / AccessPress Themes WP Floating Menu versión V1.3.0, está afectada por: una vulnerabilidad de tipo Cross Site Scripting (XSS) por medio del parámetro GET id • https://zeroaptitude.com/misha/wordpress-plugin-bug-hunting-part-2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 5%CPEs: 1EXPL: 3CVE-2017-16949 – AccessPress Anonymous Post Pro <= 3.1.9 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2017-16949
An issue was discovered in the AccessKeys AccessPress Anonymous Post Pro plugin through 3.1.9 for WordPress. Improper input sanitization allows the attacker to override the settings for allowed file extensions and upload file size, related to inc/cores/file-uploader.php and file-uploader/file-uploader-class.php. This allows the attacker to upload anything they want to the server, as demonstrated by an action=ap_file_upload_action&allowedExtensions[]=php request to /wp-admin/admin-ajax.php that results in a .php file upload and resultant PHP code execution. Se ha descubierto una vulnerabilidad en el plugin AccessKeys AccessPress Anonymous Post Pro hasta la versión 3.1.9 para WordPress. Un saneamiento de entradas incorrecto permite que el atacante invalide la configuración para las extensiones de archivo permitidas y la subida de archivos. • https://www.exploit-db.com/exploits/43324 http://packetstormsecurity.com/files/145398/Accesspress-Anonymous-Post-Pro-Unauthenticated-Arbitrary-File-Upload.html https://wpvulndb.com/vulnerabilities/8977 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15919 – Ultimate Form Builder Lite <= 1.3.6 - SQL Injection to PHP Object Injection
https://notcve.org/view.php?id=CVE-2017-15919
The ultimate-form-builder-lite plugin before 1.3.7 for WordPress has SQL Injection, with resultant PHP Object Injection, via wp-admin/admin-ajax.php. El plugin ultimate-form-builder-lite en versiones anteriores a la 1.3.7 para WordPress tiene Inyección SQL, con inyección de objetos PHP como resultado, mediante wp-admin/admin-ajax.php. • http://www.securityfocus.com/bid/101604 https://wordpress.org/plugins/ultimate-form-builder-lite/#developers https://wpvulndb.com/vulnerabilities/8935 https://www.wordfence.com/blog/2017/10/zero-day-vulnerability-ultimate-form-builder-lite • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •