CVE-2022-2388 – WP Coder < 2.5.3 - Code Deletion via CSRF
https://notcve.org/view.php?id=CVE-2022-2388
The WP Coder WordPress plugin before 2.5.3 does not have CSRF check in place when deleting code created by the plugin, which could allow attackers to make a logged in admin delete arbitrary ones via a CSRF attack El plugin WP Coder de WordPress versiones anteriores a 2.5.3, no presenta comprobación de tipo CSRF cuando es borrado el código creado por el plugin, lo que podría permitir a atacantes hacer que un administrador con sesión iniciada borre otros arbitrarios por medio de un ataque de tipo CSRF The WP Coder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation in the ~/admin/partials/tools-data-base.php file. This makes it possible for unauthenticated attackers to delete code created by the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/50acd35f-eb31-4aba-bf32-b390e9514beb • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-2245 – Counter Box < 1.2.1 - Arbitrary Counter Activation/Deactivation via CSRF
https://notcve.org/view.php?id=CVE-2022-2245
The Counter Box WordPress plugin before 1.2.1 is lacking CSRF check when activating and deactivating counters, which could allow attackers to make a logged in admin perform such actions via CSRF attacks El plugin Counter Box de WordPress versiones anteriores a 1.2.1, carece de una comprobación de tipo CSRF cuando son activados y desactivados los contadores, lo que podría permitir a atacantes hacer que un administrador conectado lleve a cabo tales acciones por medio de ataques de tipo CSRF • https://wpscan.com/vulnerability/33705003-1f82-4b0c-9b4b-d4de75da309c • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-29446 – WordPress Counter Box plugin <= 1.1.1 - Authenticated Local File Inclusion (LFI) vulnerability
https://notcve.org/view.php?id=CVE-2022-29446
Authenticated (administrator or higher role) Local File Inclusion (LFI) vulnerability in Wow-Company's Counter Box plugin <= 1.1.1 at WordPress. Una vulnerabilidad de Inclusión de Archivos Locales (LFI) autenticado (rol de administrador o superior) en el plugin Counter Box de Wow-Company versiones anteriores a 1.1.1 incluyéndola, en WordPress • https://patchstack.com/database/vulnerability/counter-box/wordpress-counter-box-plugin-1-1-1-authenticated-local-file-inclusion-lfi-vulnerability https://wordpress.org/plugins/counter-box/#developers • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-552: Files or Directories Accessible to External Parties •
CVE-2022-29447 – WordPress Hover Effects plugin <= 2.1 - Authenticated Local File Inclusion (LFI) vulnerability
https://notcve.org/view.php?id=CVE-2022-29447
Authenticated (administrator or higher user role) Local File Inclusion (LFI) vulnerability in Wow-Company's Hover Effects plugin <= 2.1 at WordPress. Una vulnerabilidad de Inclusión de Archivos Locales (LFI) autenticado (administrador o rol de usuario superior) en el plugin Hover Effects de Wow-Company versiones anteriores a 2.1 incluyéndola, en WordPress • https://patchstack.com/database/vulnerability/hover-effects/wordpress-hover-effects-plugin-2-1-authenticated-local-file-inclusion-lfi-vulnerability https://wordpress.org/plugins/hover-effects/#developers • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-552: Files or Directories Accessible to External Parties •
CVE-2021-25064 – Wow Countdowns <= 3.1.2 - Admin+ SQLi
https://notcve.org/view.php?id=CVE-2021-25064
The Wow Countdowns WordPress plugin through 3.1.2 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection. El plugin Wow Countdowns de WordPress versiones hasta 3.1.2, no sanea la entrada del usuario en el parámetro "did" y lo usa en una sentencia SQL, conllevando a una inyección SQL autenticada • https://wpscan.com/vulnerability/30c70315-3c17-41f0-a12f-7e3f793e259c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •