CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51358 – WordPress Block IPs for Gravity Forms Plugin <= 1.0.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-51358
26 Dec 2023 — The Block IPs for Gravity Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. • https://patchstack.com/database/vulnerability/gf-block-ips/wordpress-block-ips-for-gravity-forms-plugin-1-0-1-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51378 – WordPress Rise Blocks Plugin <= 3.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-51378
26 Dec 2023 — The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1. • https://patchstack.com/database/vulnerability/rise-blocks/wordpress-rise-blocks-plugin-3-1-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51402 – WordPress Ultimate Addons for WPBakery Page Builder Plugin <= 3.19.17 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-51402
26 Dec 2023 — The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.19.17. • https://patchstack.com/database/vulnerability/ultimate_vc_addons/wordpress-ultimate-addons-for-wpbakery-page-builder-plugin-3-19-17-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51700 – WP-Mobile-BankID-Integration WordPress Database Deserialization: Potential for Object Injection
https://notcve.org/view.php?id=CVE-2023-51700
26 Dec 2023 — Unofficial Mobile BankID Integration for WordPress lets users employ Mobile BankID to authenticate themselves on your WordPress site. ... This could lead to unauthorized code execution, data manipulation, or data exfiltration within the WordPress environment. ... La integración no oficial de Mobile BankID para WordPress permite a los usuarios emplear Mobile BankID para autenticarse en su sitio de WordPress. ... Esto podría dar lugar a la ejecución de código no autorizado, ... • https://github.com/jamieblomerus/WP-Mobile-BankID-Integration/commit/8251c6298a995ccf4f26c43f03ed11a275dd0c5f • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6049 – Estatik Real Estate Plugin < 4.1.1 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-6049
25 Dec 2023 — The Estatik Real Estate Plugin WordPress plugin before 4.1.1 unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog El complemento de WordPress Estatik Real Estate Plugin anterior a 4.1.1 deserializa la entrada del usuario a través de algunas de sus cookies, lo que podría permitir a usuarios no autenticados realizar inyección de objetos PHP cuando hay una cadena de gadgets adec... • https://wpscan.com/vulnerability/8cfd8c1f-2834-4a94-a3fa-c0cfbe78a8b7 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50873 – WordPress Add Any Extension to Pages Plugin <= 1.4 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-50873
22 Dec 2023 — The Add Any Extension to Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. • https://patchstack.com/database/vulnerability/add-any-extension-to-pages/wordpress-add-any-extension-to-pages-plugin-1-4-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2023-6971 – Backup Migration 1.0.8 - 1.3.9 - Remote File Inclusion via content-dir
https://notcve.org/view.php?id=CVE-2023-6971
22 Dec 2023 — The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header. ... El complemento Backup Migration para WordPress es vulnerable a la inclusión remota de archivos en las versiones 1.0.8 a 1.3.9 a través del encabezado HTTP 'content-dir'. • https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/backup-heart.php • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6972 – Backup Migration <= 1.3.9 - Unauthenticated Path Traversal to Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2023-6972
22 Dec 2023 — The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. ... El complemento Backup Migration para WordPress es vulnerable a Path Traversal en todas las versiones hasta la 1.3.9 inclusive a través de 'content-backups' y 'content-name', 'content-manifest' o 'content-bmitmp' y Encabezados HTTP 'identidad de contenido'... • https://plugins.trac.wordpress.org/browser/backup-backup/tags/1.3.9/includes/backup-heart.php • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50858 – WordPress Anti Hacker Plugin <= 4.34 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-50858
22 Dec 2023 — The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 4.35 (exclusive). • https://patchstack.com/database/vulnerability/antihacker/wordpress-anti-hacker-plugin-4-34-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50839 – WordPress JS Help Desk – Best Help Desk & Support Plugin <= 2.8.1 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-50839
21 Dec 2023 — The JS Help Desk – Best Help Desk & Support Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘email' and 'trackingid' parameters in all versions up to 2.8.2 (exclusive) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://patchstack.com/database/vulnerability/js-support-ticket/wordpress-js-help-desk-plugin-2-8-1-unauthenticated-sql-injection-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •