CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2024-1295 – The Events Calendar (Free < 6.4.0.1, Pro < 6.4.0.1) - Contributor+ Arbitrary Events Access
https://notcve.org/view.php?id=CVE-2024-1295
The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.) El complemento events-calendar-pro de WordPress anterior a 6.4.0.1, el complemento Events Calendar WordPress anterior a 6.4.0.1 no impide que los usuarios con al menos el rol de colaborador filtren detalles sobre eventos a los que no deberían tener acceso. (por ejemplo, eventos protegidos con contraseña, borradores, etc.) Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access of data due to a insufficient capability checks and restrictions on a function in various versions. • https://wpscan.com/vulnerability/3cffbeb0-545a-4002-b02c-0fa38cada1db • CWE-862: Missing Authorization •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3972 – Similarity <= 3.0 - Stored XSS via CSRF
https://notcve.org/view.php?id=CVE-2024-3972
The Similarity WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack El complemento Similarity WordPress hasta la versión 3.0 no tiene verificación CSRF en algunos lugares y le falta sanitización y escape, lo que podría permitir a los atacantes hacer que el administrador que haya iniciado sesión agregue payloads XSS almacenado a través de un ataque CSRF. The Similarity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/55dfb9b5-d590-478b-bd1f-d420b79037fa • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3966 – Pray For Me <= 1.0.4 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2024-3966
The Pray For Me WordPress plugin through 1.0.4 does not sanitise and escape some parameters, which could unauthenticated visitors to perform Cross-Site Scripting attacks that trigger when an admin visits the Prayer Requests in the WP Admin El complemento Pray For Me de WordPress hasta la versión 1.0.4 no sanitiza ni escapa a algunos parámetros, lo que podría permitir a visitantes no autenticados realizar ataques de Cross-site scripting que se activan cuando un administrador visita las solicitudes de oración en el administrador de WP. The Pray For Me plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/9f0a575f-862d-4f2e-8d25-82c6f58dd11a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3754 – Alemha Watermarker <= 1.3.1 - Author+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-3754
The Alemha watermarker WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El complemento Alemha watermarker de WordPress hasta la versión 1.3.1 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en una configuración multisitio). The Alemha watermarker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/8c6f3e3e-3047-4446-a190-750a60c29fa3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4399 – CAS <= 1.0.0 - Unauthenticated SSRF
https://notcve.org/view.php?id=CVE-2024-4399
The does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attack No valida un parámetro antes de realizarle una solicitud, lo que podría permitir a usuarios no autenticados realizar un ataque SSRF. • https://wpscan.com/vulnerability/0690327e-da60-4d71-8b3c-ac9533d82302 •