CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24711 – Software License Manager < 4.5.1 - Arbitrary Domain Deletion via CSRF
https://notcve.org/view.php?id=CVE-2021-24711
13 Sep 2021 — The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack La acción AJAX del_reistered_domains del plugin Software License Manager de WordPress versiones anteriores a 4.5.1 no presenta comprobaciones de tipo CSRF, y es vulnerable a un ataque de tipo CSRF The Software License Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to... • https://jetpack.com/2021/09/14/csrf-vulnerability-found-in-software-license-manager-plugin • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24692 – Simple Download Monitor < 3.9.5 - Contributor+ Arbitrary File Download via Path Traversal
https://notcve.org/view.php?id=CVE-2021-24692
02 Sep 2021 — The Simple Download Monitor WordPress plugin before 3.9.5 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector. El plugin Simple Download Monitor de WordPress versiones anteriores a 3.9.5, permite a usuarios con un rol tan bajo como el de Contribuyente descargar cualquier archivo del servidor web (como wp-config.php) por medio de un vector de path traversal • https://wpscan.com/vulnerability/4c9fe97e-3d9b-4079-88d9-34e2d0605215 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24665 – WP Video Lightbox < 1.9.3 - Contributor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24665
23 Aug 2021 — The WP Video Lightbox WordPress plugin before 1.9.3 does not escape the attributes of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks El plugin WP Video Lightbox de WordPress versiones anteriores a 1.9.3, no escapa de los atributos de sus shortcodes, permitiendo a usuarios con un rol tan bajo como el de contribuyente llevar a cabo ataques de tipo Cross-Site Scripting • https://wpscan.com/vulnerability/42a8947f-2ae5-4f12-bd3d-ab3716501df5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24560 – Software License Manager < 4.4.8 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24560
11 Aug 2021 — The Software License Manager WordPress plugin before 4.4.8 does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue El plugin Software License Manager de WordPress versiones anteriores a 4.4.8, no sanea o escapa del parámetro edit_record antes de devolverlo a la página en el panel de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/d51fcd97-e535-42dd-997a-edc2f5f12269 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20782 – Software License Manager < 4.4.6 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2021-20782
08 Jul 2021 — Cross-site request forgery (CSRF) vulnerability in Software License Manager versions prior to 4.4.6 allows remote attackers to hijack the authentication of administrators via unspecified vectors. Una vulnerabilidad de tipo Cross-site request forgery (CSRF) en Software License Manager versiones anteriores a 4.4.6 permite a atacantes remotos secuestrar la autenticación de los administradores por medio de vectores no especificados • https://jvn.jp/en/jp/JVN89054582/index.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-29171 – All In One WP Security & Firewall <= 4.4.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-29171
24 Dec 2020 — Cross-site scripting (XSS) vulnerability in admin/wp-security-blacklist-menu.php in the Tips and Tricks HQ All In One WP Security & Firewall (all-in-one-wp-security-and-firewall) plugin before 4.4.6 for WordPress. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo admin/wp-security-blacklist-menu.php en el plugin Tips and Tricks HQ All In One WP Security & Firewall (all-in-one-wp-security-and-firewall) versiones anteriores a 4.4.6 para WordPress • https://github.com/Arsenal21/all-in-one-wordpress-security/commit/4130906bc049b195467b4fc6980d6d304fbe28d5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5650 – Simple Download Monitor <= 3.8.8 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-5650
21 Oct 2020 — Cross-site scripting vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. Una vulnerabilidad de tipo Cross-site scripting en Simple Download Monitor versiones 3.8.8 y anteriores, permite a atacantes remotos inyectar script arbitrario por medio de vectores no especificados The Simple Download Monitor plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 3.8.8 due to insufficient input s... • https://jvn.jp/en/jp/JVN31425618/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5651 – Simple Download Monitor <= 3.8.8 - SQL Injection
https://notcve.org/view.php?id=CVE-2020-5651
21 Oct 2020 — SQL injection vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to execute arbitrary SQL commands via a specially crafted URL. Una vulnerabilidad de inyección de SQL en Simple Download Monitor versiones 3.8.8 y anteriores, permite a atacantes remotos ejecutar comandos SQL arbitrarios por medio de una URL especialmente diseñada The Simple Download Monitor plugin for WordPress is vulnerable to generic SQL Injection in versions up to, and including, 3.8.8 due to insufficient es... • https://jvn.jp/en/jp/JVN31425618/index.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10887 – All In One WP Security & Firewall <= 4.0.8 - SQL Injection
https://notcve.org/view.php?id=CVE-2016-10887
14 Aug 2019 — The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPress has multiple SQL injection issues. El plugin all-in-one-wp-security-and-firewall versiones anteriores a 4.0.9 para WordPress, presenta múltiples problemas de inyección SQL. • https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-5993 – Category Specific RSS Feed Subscription <= 2.0 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-5993
18 Jul 2019 — Cross-site request forgery (CSRF) vulnerability in Category Specific RSS feed Subscription version v2.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en la fuente Category Specific RSS versión v2.0 y anteriores, permite a atacantes remotos secuestrar la autenticación de administradores por medio de vectores no especificados. • http://jvn.jp/en/jp/JVN92510087/index.html • CWE-352: Cross-Site Request Forgery (CSRF) •