CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 2CVE-2023-6623 – Essential Blocks < 4.4.3 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2023-6623
21 Dec 2023 — The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks. El complemento de WordPress Essential Blocks anterior a 4.4.3 no impide que atacantes no autenticados sobrescriban variables locales al representar plantillas a través de la API REST, lo que puede provocar ataques de inclusión de archivos locales. The Essential Blocks – Page Bui... • https://wpscan.com/blog/file-inclusion-vulnerability-fixed-in-essential-blocks-4-4-3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50835 – WordPress Advanced Category Template Plugin <= 0.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-50835
19 Dec 2023 — The Advanced Category Template plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. • https://patchstack.com/database/vulnerability/advanced-category-template/wordpress-advanced-category-template-plugin-0-1-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2018-25095 – Duplicator < 1.3.0 - Unauthenticated RCE
https://notcve.org/view.php?id=CVE-2018-25095
15 Dec 2023 — The Duplicator WordPress plugin before 1.3.0 does not properly escape values when its installer script replaces values in WordPress configuration files. ... El complemento Duplicator de WordPress anterior a 1.3.0 no escapa correctamente de los valores cuando su script de instalación reemplaza los valores en los archivos de configuración de WordPress. ... The Duplicator – WordPress Migration & Backup Plugin plugin for WordPress is vulnerable to Remote Code Execution ... • https://wpscan.com/vulnerability/16cc47aa-cb31-4114-b014-7ac5fbc1d3ee • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6559 – MW WP Form <= 5.0.3 - Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2023-6559
15 Dec 2023 — The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. ... El complemento MW WP Form para WordPress es vulnerable a la eliminación arbitraria de archivos en todas las versiones hasta la 5.0.3 incluida. • https://plugins.trac.wordpress.org/changeset/3007879/mw-wp-form • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5877 – affiliate-toolkit < 3.4.3 - Unauthenticated SSRF
https://notcve.org/view.php?id=CVE-2023-5877
11 Dec 2023 — The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue. El complemento affiliate-toolkit de WordPress anterior a 3.4.3 carece de autorización y autenticación para solicitudes a su endpoint afiliado-toolkit-starter/... • https://wpscan.com/vulnerability/39ed4934-3d91-4924-8acc-25759fef9e81 • CWE-862: Missing Authorization CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 95%CPEs: 1EXPL: 5CVE-2023-6553 – Backup Migration <= 1.3.7 - Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2023-6553
11 Dec 2023 — The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. ... El complemento Backup Migration para WordPress es vulnerable a la ejecución remota de código en todas las versiones hasta la 1.3.7 incluida a través del archivo /includes/backup-heart.php. ... WordPress Backup Migration plugin versions 1.3.7 and below suffer from a remote code execution vulnerability. • http://packetstormsecurity.com/files/176638/WordPress-Backup-Migration-1.3.7-Remote-Command-Execution.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6845 – CommentTweets <= 0.6 - Settings Update via CSRF
https://notcve.org/view.php?id=CVE-2023-6845
10 Dec 2023 — The CommentTweets WordPress plugin through 0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks El complemento CommentTweets de WordPress hasta la versión 0.6 no tiene comprobaciones CSRF en algunos lugares, lo que podría permitir a los atacantes hacer que los usuarios que han iniciado sesión realicen acciones no deseadas a través de ataques CSRF. The CommentTweets plugin for WordPress is vulnerable t... • https://magos-securitas.com/txt/2023-6845 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5756 – Digital Publications by Supsystic <= 1.7.6 - Cross-Site Request Forgery via AJAX action
https://notcve.org/view.php?id=CVE-2023-5756
08 Dec 2023 — The Digital Publications by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.6. ... El complemento Digital Publications by Supsystic para WordPress es vulnerable a Cross-Site Request Forgery en versiones hasta la 1.7.6 incluida. • https://plugins.trac.wordpress.org/browser/digital-publications-by-supsystic/trunk/classes/frame.php#L144 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49853 – WordPress PayTR Taksit Tablosu Plugin <= 1.3.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-49853
07 Dec 2023 — The PayTR Taksit Tablosu plugin for WordPress is vulnerable to improper authorization in versions up to, and including, 1.3.2. • https://patchstack.com/database/vulnerability/paytr-taksit-tablosu-woocommerce/wordpress-paytr-taksit-tablosu-woocommerce-plugin-1-3-1-broken-authentication-vulnerability? • CWE-285: Improper Authorization CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49854 – WordPress Caddy Plugin <= 1.9.7 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-49854
07 Dec 2023 — The Caddy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.9.7. • https://patchstack.com/database/vulnerability/caddy/wordpress-caddy-plugin-1-9-7-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •