CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4424 – Slider Hero <= 8.2.0 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4424
05 Jul 2021 — The Slider Hero plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.2.0. This is due to missing or incorrect nonce validation on the qc_slider_hero_duplicate() function. This makes it possible for unauthenticated attackers to duplicate slides via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13463 – Simple Link Directory < 7.3.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-13463
09 Jul 2019 — An XSS vulnerability in qcopd-shortcode-generator.php in the Simple Link Directory plugin before 7.3.5 for WordPress allows remote attackers to inject arbitrary web script or HTML, because esc_html is not called for the "echo get_the_title()" or "echo $term->name" statement. Una vulnerabilidad de tipo XSS en el archivo qcopd-shortcode-generator.php en el plugin Simple Link Directory versiones anteriores a 7.3.5 para WordPress, permite a atacantes remotos inyectar un script web o HTML arbitrario, porque esc_... • https://plugins.trac.wordpress.org/changeset?old_path=%2Fsimple-link-directory&old=2111131&new_path=%2Fsimple-link-directory&new=2111132&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •