CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1649 – ChatBot < 4.5.1 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-1649
12 Apr 2023 — The AI ChatBot WordPress plugin before 4.5.1 does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The AI ChatBot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.4.9 due to insufficient input sanitization and output escaping. This makes it possible f... • https://wpscan.com/vulnerability/ea806115-14ab-4bc4-a272-2141cb14454a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1650 – ChatBot < 4.4.7 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-1650
12 Apr 2023 — The AI ChatBot WordPress plugin before 4.4.7 unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog The ChatBot plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.4.6 via deserialization of untrusted input from cookies This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin.... • https://wpscan.com/vulnerability/7d7fe498-0aa3-4fa7-b560-610b42b2abed • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24415 – WordPress AI ChatBot plugin <= 4.2.8 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-24415
27 Jan 2023 — Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud AI ChatBot plugin <= 4.2.8 versions. Vulnerabilidad Cross-Site Request Forgery (CSRF) en versiones 4.2.8 y anteriores del plugin QuantumCloud ChatBot ?. The ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.2.8. This is due to missing or incorrect nonce validation on the 'qcld_wb_chatbot_save_options' function. This makes it possible for unauthenticated attackers to inject arbitrary web... • https://patchstack.com/database/vulnerability/chatbot/wordpress-chatbot-plugin-4-2-8-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47613 – WordPress AI ChatBot Plugin <= 4.3.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-47613
27 Jan 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in QuantumCloud AI ChatBot plugin <= 4.3.0 versions. The ChatBot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘qlcd_wp_chatbot_email_sub’ parameter in versions up to, and including, 4.3.0 due to insufficient input sanitization and output escaping. This makes it possible for administrator-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Auth. • https://patchstack.com/database/vulnerability/chatbot/wordpress-chatbot-plugin-4-3-0-multiple-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23981 – WordPress Conversational Forms for ChatBot Plugin <= 1.1.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23981
20 Jan 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in QuantumCloud Conversational Forms for ChatBot plugin <= 1.1.6 versions. The Conversational Forms for ChatBot for WordPress is vulnerable to Stored Cross-Site Scripting via a form name in versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrative-level permissions and above, to inject arbitrary web scripts in pages that will execute wh... • https://patchstack.com/database/vulnerability/conversational-forms/wordpress-conversational-forms-for-chatbot-plugin-1-1-6-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3074 – Slider Hero < 8.4.4 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-3074
05 Sep 2022 — The Slider Hero WordPress plugin before 8.4.4 does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks. El plugin Slider Hero de WordPress versiones anteriores a 8.4.4, no escapa del nombre del slider, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting. The Slider Hero plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider title parameter in versions up to, and including,... • https://wpscan.com/vulnerability/90ebaedc-89df-413f-b22e-753d4dd5e1c3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 7%CPEs: 1EXPL: 1CVE-2022-0747 – Infographic Maker - iList < 4.3.8 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2022-0747
28 Feb 2022 — The Infographic Maker WordPress plugin before 4.3.8 does not validate and escape the post_id parameter before using it in a SQL statement via the qcld_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection El plugin Infographic Maker de WordPress versiones anteriores a 4.3.8, no comprueba ni escapa del parámetro post_id antes de usarlo en una sentencia SQL por medio de la acción AJAX qcld_upvote_action (disponible para usuarios autentica... • https://plugins.trac.wordpress.org/changeset/2684336 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 7%CPEs: 1EXPL: 1CVE-2022-0760 – Simple Link Directory < 7.7.2 - Unauthenticated SQL injection
https://notcve.org/view.php?id=CVE-2022-0760
28 Feb 2022 — The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection El plugin Simple Link Directory de WordPress versiones anteriores a 7.7.2 no comprueba ni escapa el parámetro post_id antes de usarlo en una sentencia SQL por medio de la acción AJAX qcopd_upvote_action (disponible para usuarios a... • https://plugins.trac.wordpress.org/changeset/2684915 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24725 – Comment Link Remove and Other Comment Tools < 2.1.6 - Arbitrary Comment Deletion via CSRF
https://notcve.org/view.php?id=CVE-2021-24725
23 Aug 2021 — The Comment Link Remove and Other Comment Tools WordPress plugin before 2.1.6 does not have CSRF check in its 'Delete comments easily', which could allow attackers to make logged in admin delete arbitrary comments El plugin Comment Link Remove and Other Comment Tools de WordPress versiones anteriores a 2.1.6, no presenta una comprobación de tipo CSRF en su acción "Delete comments easily", lo que podría permitir a atacantes hacer que el administrador conectado elimine comentarios arbitrarios • https://wpscan.com/vulnerability/01483284-57f5-4ae9-b5f1-ae26b623571f • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24506 – Slider Hero < 8.2.7 - Contributor+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24506
26 Jul 2021 — The Slider Hero with Animation, Video Background & Intro Maker WordPress plugin before 8.2.7 does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection. El plugin de WordPress Slider Hero with Animation, Video Background & Intro Maker versiones anteriores a 8.2.7, no sanea o escapa del atributo id de su shortcode hero-button antes de usarlo en una sentencia SQL, permitiendo a usua... • https://wpscan.com/vulnerability/52c8755c-46b9-4383-8c8d-8816f03456b0 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •