CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2023-47661 – Dragfy Addons for Elementor <= 1.0.2 - Missing Authorization via save_settings
https://notcve.org/view.php?id=CVE-2023-47661
The Dragfy Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings function in versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings. • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47178 – WordPress The Plus Addons for Elementor Pro plugin <= 5.2.8 - Unauthenticated Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2023-47178
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows PHP Local File Inclusion.This issue affects The Plus Addons for Elementor Pro: from n/a through 5.2.8. Limitación incorrecta de un nombre de ruta a una vulnerabilidad de directorio restringido ("Path Traversal") en POSIMYTH Innovation The Plus Addons para Elementor Pro permite la inclusión de archivos locales PHP. Este problema afecta a The Plus Addons para Elementor Pro: desde n/a hasta 5.2.8. The The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.2.8 via an unknown parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. • https://patchstack.com/database/vulnerability/theplus_elementor_addon/wordpress-the-plus-addons-for-elementor-pro-plugin-5-2-8-unauthenticated-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.8EPSS: 78%CPEs: 1EXPL: 10CVE-2023-5360 – Royal Elementor Addons and Templates < 1.3.79 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-5360
The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE. El complemento Royal Elementor Addons and Templates de WordPress anterior a 1.3.79 no valida correctamente los archivos cargados, lo que podría permitir a usuarios no autenticados cargar archivos arbitrarios, como PHP y lograr RCE. The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.3.78. This is due to insufficient file type validation in the handle_file_upload() function called via AJAX which allows attackers to supply a preferred filetype extension to the 'allowed_file_types' parameter, with a special character, which makes it possible for the uploaded file to bypass their filter list. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/Chocapikk/CVE-2023-5360 https://github.com/1337r0j4n/CVE-2023-5360 https://github.com/tucommenceapousser/CVE-2023-5360 https://github.com/angkerithhack001/CVE-2023-5360-PoC https://github.com/phankz/Worpress-CVE-2023-5360 https://github.com/sagsooz/CVE-2023-5360 https://github.com/Pushkarup/CVE-2023-5360 https://github.com/nastar-id/CVE-2023-5360 https://github.com/Jenderal92/WP-CVE-2023-5360 http://packetstormsecurity.com/files/175992/WordPress-Royal-Elemento • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41955 – WordPress Essential Addons for Elementor plugin <= 5.8.8 - Contributor+ Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2023-41955
Improper Privilege Management vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation.This issue affects Essential Addons for Elementor: from n/a through 5.8.8. Una vulnerabilidad de gestión de privilegios incorrecta en WPDeveloper Essential Addons para Elementor permite la escalada de privilegios. Este problema afecta a Essential Addons para Elementor: desde n/a hasta 5.8.8. The Essential Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to and including 5.8.8 due to a lack of restrictions on who can add a registration form and a custom registration role to an Elementor created page. This makes it possible for attackers with access to the Elementor page builder to create a new registration form that defaults to the user role being set to administrator and subsequently register as an administrative user. • https://patchstack.com/database/vulnerability/essential-addons-for-elementor-lite/wordpress-essential-addons-for-elementor-plugin-5-8-8-contributor-privilege-escalation-vulnerability?_s_id=cve • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41656 – Better Elementor Addons <= 1.3.8 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-41656
The Better Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bea_admin_ajax() function hooked via an AJAX action in versions up to, and including, 1.3.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to save and reset the plugin's settings. • CWE-862: Missing Authorization •