CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2086 – Essential Blocks <= 4.0.6 - Missing Authorization via template_count
https://notcve.org/view.php?id=CVE-2023-2086
18 Apr 2023 — The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the template_count function in versions up to, and including, 4.0.6. This makes it possible for subscriber-level attackers to obtain plugin template information. While a nonce check is present, it is only executed when a nonce is provided. Not providing a nonce results in the nonce verification to be skipped. There is no capability check. • https://plugins.trac.wordpress.org/browser/essential-blocks/tags/4.0.6/includes/Admin/Admin.php • CWE-862: Missing Authorization •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2087 – Essential Blocks <= 4.0.6 - Cross-Site Request Forgery via save
https://notcve.org/view.php?id=CVE-2023-2087
18 Apr 2023 — The Essential Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.6. This is due to missing or incorrect nonce validation on the save function. This makes it possible for unauthenticated attackers to change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/essential-blocks/tags/4.0.6/includes/Admin/Admin.php • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46809 – WordPress ReviewX Plugin <= 1.6.7 is vulnerable to CSV Injection
https://notcve.org/view.php?id=CVE-2022-46809
13 Apr 2023 — Improper Neutralization of Formula Elements in a CSV File vulnerability in WPDeveloper ReviewX – Multi-criteria Rating & Reviews for WooCommerce.This issue affects ReviewX – Multi-criteria Rating & Reviews for WooCommerce: from n/a through 1.6.7. Neutralización inadecuada de elementos de fórmula en una vulnerabilidad de CSV File en WPDeveloper ReviewX – Multi-criteria Rating & Reviews for WooCommerce. Este problema afecta ReviewX – Multi-criteria Rating & Reviews for WooCommerce: desde n/a hasta 1.6... • https://patchstack.com/database/vulnerability/reviewx/wordpress-reviewx-plugin-1-6-6-csv-injection?_s_id=cve • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26325 – ReviewX – Multi-criteria Rating & Reviews for WooCommerce <= 1.6.8 - Authenticated (Subscriber+) SQL Injection
https://notcve.org/view.php?id=CVE-2023-26325
23 Feb 2023 — The 'rx_export_review' action in the ReviewX WordPress Plugin, is affected by an authenticated SQL injection vulnerability in the 'filterValue' and 'selectedColumns' parameters. The ReviewX – Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'filterValue' and 'selectedColumns' parameters passed through the 'rx_export_review' AJAX action in versions up to, and including, 1.6.8 due to insufficient escaping on the user supplied parameter and lack of suf... • https://www.tenable.com/security/research/tra-2023-2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-0683 – Essential Addons for Elementor Lite <= 5.0.8 Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0683
18 Feb 2022 — The Essential Addons for Elementor Lite WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the settings parameter found in the ~/includes/Traits/Helper.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 5.0.8. El plugin Essential Addons for Elementor Lite de WordPress es vulnerable a Cross-Site Scripting debi... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2680585%40essential-addons-for-elementor-lite&new=2680585%40essential-addons-for-elementor-lite&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2022-0349 – NotificationX < 2.3.9 - Unauthenticated Blind SQL Injection
https://notcve.org/view.php?id=CVE-2022-0349
02 Feb 2022 — The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, leading to an Unauthenticated Blind SQL Injection El plugin NotificationX de WordPress versiones anteriores a 2.3.9, no sanea y escapa del parámetro nx_id antes de usarlo en una sentencia SQL, conllevando a una inyección SQL ciega no autenticada The NotificationX WordPress plugin before 2.3.9 does not sanitise and escape the nx_id parameter before using it in a SQL statement, ... • https://wpscan.com/vulnerability/1d0dd7be-29f3-4043-a9c6-67d02746463a • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-0320 – Essential Addons for Elementor < 5.0.5 - Unauthenticated LFI
https://notcve.org/view.php?id=CVE-2022-0320
21 Jan 2022 — The Essential Addons for Elementor WordPress plugin before 5.0.5 does not validate and sanitise some template data before it them in include statements, which could allow unauthenticated attackers to perform Local File Inclusion attack and read arbitrary files on the server, this could also lead to RCE via user uploaded files or other LFI to RCE techniques. El plugin Essential Addons for Elementor de WordPress versiones anteriores a 5.0.5, no comprueba ni sanea algunos datos de las plantillas antes de inclu... • https://wpscan.com/vulnerability/0d02b222-e672-4ac0-a1d4-d34e1ecf4a95 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24812 – BetterLinks < 1.2.6 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24812
20 Oct 2021 — The BetterLinks WordPress plugin before 1.2.6 does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV. El plugin BetterLinks de WordPress versiones anteriores a 1.2.6, no sanea ni escapa de algunos campos imported link, que podría conllevar problemas de tipo Cross-Site Scripting almacenado cuando un administrador importa un CSV malicioso • https://wpscan.com/vulnerability/6bc8fff1-ff10-4175-8a46-563f0f26f96a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24633 – Countdown Block < 1.1.2 - Missing Authorisation in AJAX action
https://notcve.org/view.php?id=CVE-2021-24633
30 Aug 2021 — The Countdown Block WordPress plugin before 1.1.2 does not have authorisation in the eb_write_block_css AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users. El plugin Countdown Block de WordPress versiones anteriores a 1.1.2, no dispone de autorización en la acción AJAX eb_write_block_css, permitiendo a cualquier usuario autenticado, como Subscriber, modificar el contenido de la entrada que se muestra a usuarios • https://wpscan.com/vulnerability/431901eb-0f95-4033-b943-324e6d3844a5 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24354 – Simple 301 Redirects by BetterLinks - 2.0.0-2.0.3 - Arbitrary Plugin Installation
https://notcve.org/view.php?id=CVE-2021-24354
26 May 2021 — A lack of capability checks and insufficient nonce check on the AJAX action in the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, made it possible for authenticated users to install arbitrary plugins on vulnerable sites. Una falta de comprobación de capacidad y la insuficiente comprobación de nonce en la acción AJAX en el plugin Simple 301 Redirects by BetterLinks WordPress versiones anteriores a 2.0.4, hace posible a usuarios autenticados instalar plugins arbitrarios en sitios vulnerabl... • https://wpscan.com/vulnerability/8638b36c-6641-491f-b9df-5db3645e4668 • CWE-862: Missing Authorization •