CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 4CVE-2021-25076 – WP User Frontend < 3.5.26 - SQL Injection to Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25076
27 Dec 2021 — The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting El plugin WP User Frontend de WordPress versiones anteriores a 3.5.26, no comprueba ni escapa del parámetro status antes de usarlo en una sentencia SQL en el panel de control de los suscriptores, conllevando a una i... • https://www.exploit-db.com/exploits/50772 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36826 – WordPress WP Project Manager plugin <= 2.4.13 - Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-36826
11 Oct 2021 — Authenticated (subscriber or higher user role if allowed to access projects) Stored Cross-Site Scripting (XSS) vulnerability in weDevs WP Project Manager plugin <= 2.4.13 versions. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenada y Autenticada (rol de suscriptor o usuario superior si le es permitido acceder a proyectos) en versiones anteriores a 2.4.13 incluyéndola, de weDevs WP Project Manager (plugin de WordPress) The WP Project Manager plugin for WordPress is vulnerable to Stored Cross-Si... • https://patchstack.com/database/vulnerability/wedevs-project-manager/wordpress-wp-project-manager-plugin-2-4-13-stored-cross-site-scripting-xss-vulnerability-1?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 1CVE-2021-24292 – Happy Addons for Elementor Free < 2.24.0 and Pro < 1.17.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2021-24292
26 Apr 2021 — The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request with the “heading_tag” set to “script”, and the actual “title” ... • https://wpscan.com/vulnerability/0f20e098-8106-451f-9448-d35a79f03077 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36735 – WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting <= 1.6.3 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36735
26 Sep 2020 — The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.3. This is due to missing or incorrect nonce validation on the handle_leave_calendar_filter, add_enable_disable_option_save, leave_policies, process_bulk_action, and process_crm_contact functions. This makes it possible for unauthenticated attackers to modify the plugins settings via a forged request granted th... • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36745 – WP Project Manager <= 2.4.0 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36745
16 Sep 2020 — The WP Project Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.0. This is due to missing or incorrect nonce validation on the do_updates() function. This makes it possible for unauthenticated attackers to trigger updates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36748 – Dokan <= 3.0.8 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36748
16 Sep 2020 — The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. This is due to missing or incorrect nonce validation on the handle_order_export() function. This makes it possible for unauthenticated attackers to trigger an order export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •