CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4386 – Essential Blocks <= 4.2.0 - Unauthenticated PHP Object Injection via queries
https://notcve.org/view.php?id=CVE-2023-4386
The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. El complemento Essential Blocks para WordPress es vulnerable a la inyección de objetos PHP en versiones hasta la 4.2.0 incluida a través de la deserialización de entradas que no son de confianza en la función get_posts. • https://plugins.trac.wordpress.org/browser/essential-blocks/trunk/includes/API/PostBlock.php?rev=2950425#L30 https://www.wordfence.com/threat-intel/vulnerabilities/id/af468f83-d6ad-474c-bf7f-c4eeb6df1b54?source=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51375 – WordPress EmbedPress plugin <= 3.8.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-51375
Missing Authorization vulnerability in WPDeveloper EmbedPress.This issue affects EmbedPress: from n/a through 3.8.3. Vulnerabilidad de autorización faltante en WPDeveloper EmbedPress. Este problema afecta a EmbedPress: desde n/a hasta 3.8.3. The EmbedPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.8.3. This is due to missing nonce validation on the clicked() function. • https://patchstack.com/database/vulnerability/embedpress/wordpress-embedpress-plugin-3-8-3-broken-access-control-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4283 – EmbedPress <= 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2023-4283
The EmbedPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'embedpress_calendar' shortcode in versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/embedpress/tags/3.8.2/EmbedPress/ThirdParty/Googlecalendar/Embedpress_Google_Helper.php#L522 https://plugins.trac.wordpress.org/changeset/2950211/embedpress#file18 https://www.wordfence.com/threat-intel/vulnerabilities/id/b340eda1-e9d2-40b6-89f9-41d995ce3555?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-4282 – EmbedPress <= 3.8.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Delete via admin_post_remove and remove_private_data
https://notcve.org/view.php?id=CVE-2023-4282
The EmbedPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'admin_post_remove' and 'remove_private_data' functions in versions up to, and including, 3.8.2. This makes it possible for authenticated attackers with subscriber privileges or above, to delete plugin settings. • https://plugins.trac.wordpress.org/browser/embedpress/tags/3.8.2/EmbedPress/ThirdParty/Googlecalendar/Embedpress_Google_Helper.php#L801 https://plugins.trac.wordpress.org/browser/embedpress/tags/3.8.2/EmbedPress/ThirdParty/Googlecalendar/Embedpress_Google_Helper.php#L807 https://plugins.trac.wordpress.org/changeset/2950211/embedpress#file18 https://www.wordfence.com/threat-intel/vulnerabilities/id/5fa2ec9e-2859-4a96-9e33-9e22d37e544f?source=cve • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3779 – Essential Addons For Elementor <=5.8.1 - Unauthenticated MailChimp API Key Disclosure
https://notcve.org/view.php?id=CVE-2023-3779
The Essential Addons For Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 5.8.1 due to the plugin adding the API key to the source code of any page running the MailChimp block. This makes it possible for unauthenticated attackers to obtain a site's MailChimp API key. We recommend resetting any MailChimp API keys if running a vulnerable version of this plugin with the MailChimp block enabled as the API key may have been compromised. This only affects sites running the premium version of the plugin and that have the Mailchimp block enabled on a page. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2938177%40essential-addons-for-elementor-lite&new=2938177%40essential-addons-for-elementor-lite&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/e007c713-74bc-4ff5-a198-70dcc8a8ee68?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •