CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45810 – WordPress Email Subscribers & Newsletters Plugin <= 5.5.2 is vulnerable to CSV Injection
https://notcve.org/view.php?id=CVE-2022-45810
Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce.This issue affects Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce: from n/a through 5.5.2. Neutralización inadecuada de elementos de fórmula en una vulnerabilidad de CSV File en Icegram Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce. Este problema afecta a Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce: desde n/a hasta 5.5. 2. The Icegram Express plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 5.5.2. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. • https://patchstack.com/database/vulnerability/email-subscribers/wordpress-icegram-express-email-subscribers-newsletters-and-marketing-automation-plugin-plugin-5-5-2-csv-injection?_s_id=cve • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25024 – WordPress Icegram Collect plugin <= 1.3.8 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-25024
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Icegram Icegram Collect plugin <= 1.3.8 versions. The Icegram Collect plugin for WordPress is vulnerable to Cross-Site Scripting via the 'rainmaker_form' shortcode in versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/icegram-rainmaker/wordpress-icegram-collect-easy-form-lead-collection-and-subscription-plugin-plugin-1-3-8-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3981 – Icegram Express < 5.5.1 - Subscriber+ SQLi
https://notcve.org/view.php?id=CVE-2022-3981
The Icegram Express WordPress plugin before 5.5.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscriber El complemento de WordPress Icegram Express anterior a 5.5.1 no sanitiza ni escapa adecuadamente un parámetro antes de usarlo en una declaración SQL, lo que genera una inyección de SQL explotable por cualquier usuario autenticado, como el suscriptor. The Icegram Express plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.4.19 due to insufficient escaping on a user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level privileges or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://wpscan.com/vulnerability/78054d08-0227-426c-903d-d146e0919028 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1776 – Icegram < 2.1.8 - Contributor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1776
The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.1.8 does not sanitize and escape some campaign parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks El plugin Popups, Welcome Bar, Optins and Lead Generation de WordPress versiones anteriores a 2.1.8, no sanea ni escapa de algunos parámetros de la campaña, lo que podría permitir a usuarios con un rol tan bajo como el de colaborador llevar a cabo ataques de tipo Cross-Site Scripting Almacenado • https://wpscan.com/vulnerability/46ed56db-9b9d-4390-80fc-343a01fcc3c9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2022-0439 – Email Subscribers & Newsletters < 5.3.2 - Subscriber+ Blind SQL injection
https://notcve.org/view.php?id=CVE-2022-0439
The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link. El plugin Email Subscribers & Newsletters de WordPress versiones anteriores a 5.3.2, no escapa correctamente los parámetros "order' y "orderby" de la acción "ajax_fetch_report_list", lo que lo hace vulnerable a ataques de inyección SQL ciegos por parte de usuarios con roles tan bajos como el de suscriptor. Además, no presenta ninguna protección de tipo CSRF para la acción, permitiendo a un atacante engañar a cualquier usuario conectado para llevar a cabo la acción haciendo clic en un enlace • https://github.com/RandomRobbieBF/CVE-2022-0439 https://wpscan.com/vulnerability/729d3e67-d081-4a4e-ac1e-f6b0a184f095 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-352: Cross-Site Request Forgery (CSRF) •