CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49191 – WordPress GDPR Cookie Consent by Supsystic Plugin <= 2.1.2 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-49191
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Supsystic GDPR Cookie Consent by Supsystic allows Stored XSS.This issue affects GDPR Cookie Consent by Supsystic: from n/a through 2.1.2. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ("Cross-site Scripting") en Supsystic GDPR Cookie Consent by Supsystic permite almacenar XSS. Este problema afecta a GDPR Cookie Consent by Supsystic: desde n/a hasta 2.1.2. The GDPR Cookie Consent by Supsystic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/gdpr-compliance-by-supsystic/wordpress-gdpr-cookie-consent-by-supsystic-plugin-2-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46197 – WordPress Popup by Supsystic plugin <= 1.10.19 - Unauthenticated Subscriber Email Addresses Disclosure
https://notcve.org/view.php?id=CVE-2023-46197
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in supsystic.Com Popup by Supsystic allows Relative Path Traversal.This issue affects Popup by Supsystic: from n/a through 1.10.19. Limitación incorrecta de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en supsystic.Com Popup de Supsystic permite un path traversal relativa. Este problema afecta a Popup de Supsystic: desde n/a hasta 1.10.19. The Popup by Supsystic plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.10.19 via the getWpCsvList action. This makes it possible for authenticated attackers with subscriber level access or higher to extract sensitive data including subscriber email addresses. • https://github.com/RandomRobbieBF/CVE-2023-46197 https://patchstack.com/database/vulnerability/popup-by-supsystic/wordpress-popup-by-supsystic-plugin-1-10-19-unauthenticated-subscriber-email-addresses-disclosure?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45068 – WordPress Contact Form by Supsystic Plugin <= 1.7.27 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-45068
Cross-Site Request Forgery (CSRF) vulnerability in Supsystic Contact Form by Supsystic plugin <= 1.7.27 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Supsystic Contact Form de Supsystic en versiones <= 1.7.27. The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.27. This is due to missing nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/contact-form-by-supsystic/wordpress-contact-form-by-supsystic-plugin-1-7-24-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39997 – Popup by Supsystic <= 1.10.19 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-39997
The Popup by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.19. This is due to missing or incorrect nonce validation for a subset of actions on the 'havePermissions' function. This makes it possible for unauthenticated attackers to perform actions such as sending test emails or saving plugin options via a forged request granted they can trick an authorized user into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3186 – Supsystic Popup < 1.10.19 - Prototype Pollution
https://notcve.org/view.php?id=CVE-2023-3186
The Popup by Supsystic WordPress plugin before 1.10.19 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties into Object.prototype. The plugin Popup by Supsystic for WordPress is vulnerable to prototype pollution, which could make injecting malicious web scripts possible in some cases. • https://wpscan.com/vulnerability/545007fc-3173-47b1-82c4-ed3fd1247b9c • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •