CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2302 – Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) <= 3.2.9 - Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2024-2302
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.9. This makes it possible for unauthenticated attackers to download the debug log via Directory Listing. This file may include PII. El complemento Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 3.2.9 incluida. Esto hace posible que atacantes no autenticados descarguen el registro de depuración a través del Listado de directorios. • https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/class-edd-logging.php#L621 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3060808%40easy-digital-downloads%2Ftrunk&old=3042139%40easy-digital-downloads%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/0837ba20-4b47-4cc8-9eb3-322289513d79?source=cve • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1935 – Giveaways and Contests by RafflePress <= 1.12.5 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-1935
The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘parent_url’ parameter in all versions up to, and including, 1.12.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro 'parent_url' en todas las versiones hasta la 1.12.5 incluida debido a una insuficiencia higienización de insumos y escape de salidas. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.5/resources/views/rafflepress-giveaway.php https://plugins.trac.wordpress.org/changeset?old_path=/rafflepress/tags/1.12.5&old=3043286&new_path=/rafflepress/tags/1.12.7&new=3043286&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/29b471ac-3a08-42da-9907-670c3b3bae92?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0903 – User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds <= 1.0.13 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-0903
The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_submitted' 'link' value in all versions up to, and including, 1.0.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the feedback submission page that will execute when a user clicks the link, while also pressing the command key. El complemento User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del valor de "enlace" 'page_submitted' en todas las versiones hasta la 1.0.13 incluida, debido a una sanitización insuficiente de los insumos y escape de los productos. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en la página de envío de comentarios que se ejecutarán cuando un usuario haga clic en el enlace y al mismo tiempo presione la tecla Comando. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3038797%40userfeedback-lite&new=3038797%40userfeedback-lite&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/a649fbea-65cf-45c9-b853-2733f27518af?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •