CVSS: 6.6EPSS: %CPEs: 1EXPL: 0CVE-2023-50897 – Media File Renamer <= 5.7.7 - Authenticated(Administrator+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2023-50897
26 Dec 2023 — The Media File Renamer: Rename Files (Manual, Auto & AI) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.7.7. This makes it possible for authenticated attackers, with administrator access and above, to execute code on the server by renaming files containing PHP code. • CWE-73: External Control of File Name or Path •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-44227 – WordPress Simple File List Plugin <= 6.1.9 is vulnerable to Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2023-44227
28 Sep 2023 — Missing Authorization vulnerability in Mitchell Bennis Simple File List.This issue affects Simple File List: from n/a through 6.1.9. Vulnerabilidad de falta de autorización en Mitchell Bennis Simple File List. Este problema afecta a Simple File List: desde n/a hasta 6.1.9. The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion in versions up to, and including, 6.1.9. This is due to insufficient controls on files passed to a deletion function. • https://github.com/codeb0ss/CVE-2023-44227-PoC • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-48554 – file: stack-based buffer over-read in file_copystr in funcs.c
https://notcve.org/view.php?id=CVE-2022-48554
22 Aug 2023 — File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: "File" is the name of an Open Source project. A flaw was found in file, a program used to identify a particular file according to the type of data contained by the file. This issue occurs when processing a specially crafted file, causing a stack-based buffer over-read, resulting in an application crash. It was discovered that file incorrectly handled certain malformed files. • http://seclists.org/fulldisclosure/2024/Mar/21 • CWE-125: Out-of-bounds Read •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2023-3784 – Dooblou WiFi File Explorer cross site scripting
https://notcve.org/view.php?id=CVE-2023-3784
20 Jul 2023 — A vulnerability was found in Dooblou WiFi File Explorer 1.13.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument search/order/download/mode leads to cross site scripting. The attack can be launched remotely. • https://seclists.org/fulldisclosure/2023/Jul/37 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2023-3783 – Webile HTTP POST Request cross site scripting
https://notcve.org/view.php?id=CVE-2023-3783
20 Jul 2023 — A vulnerability was found in Webile 1.0.1. It has been classified as problematic. Affected is an unknown function of the component HTTP POST Request Handler. The manipulation of the argument new_file_name/c leads to cross site scripting. It is possible to launch the attack remotely. • https://seclists.org/fulldisclosure/2023/Jul/38 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0431 – File Away <= 3.9.9.0.1 - Contributor+ Stored XSS via Shortcode
https://notcve.org/view.php?id=CVE-2023-0431
16 May 2023 — The File Away WordPress plugin through 3.9.9.0.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. The File Away plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 3.9.9.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers wit... • https://wpscan.com/vulnerability/fdcbd9a3-552d-439e-b283-1d3d934889af • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2678 – SourceCodester File Tracker Manager System POST Parameter save_user.php cross site scripting
https://notcve.org/view.php?id=CVE-2023-2678
12 May 2023 — A vulnerability has been found in SourceCodester File Tracker Manager System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /file_manager/admin/save_user.php of the component POST Parameter Handler. The manipulation of the argument firstname leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/csbsong/bug_report/blob/main/XSS.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2643 – SourceCodester File Tracker Manager System POST Parameter update_password.php sql injection
https://notcve.org/view.php?id=CVE-2023-2643
11 May 2023 — A vulnerability classified as critical was found in SourceCodester File Tracker Manager System 1.0. This vulnerability affects unknown code of the file register/update_password.php of the component POST Parameter Handler. The manipulation of the argument new_password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/GZRsecurity/cve/blob/main/SQLi.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23676 – WordPress File Gallery Plugin <= 1.8.5.3 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23676
19 Apr 2023 — Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Bruno "Aesqe" Babic File Gallery plugin <= 1.8.5.3 versions. The File Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘file_gallery_shortcode’ function in versions up to, and including, 1.8.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute ... • https://patchstack.com/database/vulnerability/file-gallery/wordpress-file-gallery-plugin-1-8-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27245
https://notcve.org/view.php?id=CVE-2023-27245
27 Mar 2023 — A cross-site scripting (XSS) vulnerability in File Management Project 1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field under the Edit User module. • https://github.com/flyasolo/File-Management-System • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •