CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28751 – WordPress Wp Ultimate Review Plugin <= 2.0.3 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-28751
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Wpmet Wp Ultimate Review plugin <= 2.0.3 versions. The Wp Ultimate Review plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/wp-ultimate-review/wordpress-wp-ultimate-review-plugin-2-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0085 – Metform Elementor Contact Form Builder <= 3.2.1 - reCaptcha Protection Bypass
https://notcve.org/view.php?id=CVE-2023-0085
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to reCaptcha Bypass in versions up to, and including, 3.2.1. This is due to insufficient server side checking on the captcha value submitted during a form submission. This makes it possible for unauthenticated attackers to bypass Captcha restrictions and for attackers to utilize bots to submit forms. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2868889%40metform&new=2868889%40metform&sfp_email=&sfph_mail= https://wordpress.org/plugins/metform https://www.wordfence.com/threat-intel/vulnerabilities/id/69527d4b-49b6-47cd-93b6-39350f881ec9 • CWE-693: Protection Mechanism Failure •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0084 – Metform Elementor Contact Form Builder <= 3.1.2 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-0084
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, which is the submissions page. WordPress Metform Elementor Contact Form Builder plugin versions 3.1.2 and below suffer from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/51204 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2845078%40metform&new=2845078%40metform&sfp_email=&sfph_mail= https://wordpress.org/plugins/metform/#description https://www.wordfence.com/threat-intel/vulnerabilities/id/05f7d9fe-e95f-4ddf-9bce-2aeac3c2e946 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47160 – WordPress Wp Social Plugin <= 1.9.0 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2022-47160
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wpmet Wp Social Login and Register Social Counter.This issue affects Wp Social Login and Register Social Counter: from n/a through 1.9.0. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en Wpmet Wp Social Login and Register Social Counter. Este problema afecta a Wp Social Login y Register Social Counter: desde n/a hasta 1.9.0. The Wp Social plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.9.0. This is due to missing capability checks on the 'export_users_content_csv' function. • https://patchstack.com/database/vulnerability/wp-social/wordpress-wp-social-plugin-1-9-0-auth-sensitive-information-disclosure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2022-0788 – WP Fundraising Donation and Crowdfunding Platform < 1.5.0 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-0788
The WP Fundraising Donation and Crowdfunding Platform WordPress plugin before 1.5.0 does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users El plugin WP Fundraising Donation and Crowdfunding Platform WordPress anterior a la versión 1.5.0 no sanea y escapa de un parámetro antes de utilizarlo en una sentencia SQL a través de una de sus rutas REST, lo que lleva a una inyección SQL explotable por usuarios no autentificados The WP Fundraising Donation and Crowdfunding Platform WordPress plugin through 1.4.2 does not sanitise and escape a parameter before using it in a SQL statement via one of it's REST route, leading to an SQL injection exploitable by unauthenticated users • https://wpscan.com/vulnerability/fbc71710-123f-4c61-9796-a6a4fd354828 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •