CVSS: 6.1EPSS: 1%CPEs: 11EXPL: 1CVE-2013-0731 – MailUp newsletter sign-up form < 1.3.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-0731
ajax.functions.php in the MailUp plugin before 1.3.3 for WordPress does not properly restrict access to unspecified Ajax functions, which allows remote attackers to modify plugin settings and conduct cross-site scripting (XSS) attacks by setting the wordpress_logged_in cookie. NOTE: this is due to an incomplete fix for a similar issue that was fixed in 1.3.2. ajax.functions.php en el complemento MailUp anterior a v1.3.3 para WordPress no restringe correctamente el acceso a las funciones especificadas Ajax, lo que permite a atacantes remotos modificar la configuración del complemento y realizar cross-site scripting (XSS) mediante el establecimiento de la cookie wordpress_logged_in. NOTA: esto se debe a una corrección incompleta de un problema similar que se fijó en v1.3.2. • http://osvdb.org/91274 http://plugins.trac.wordpress.org/changeset?new=682420 http://secunia.com/advisories/51917 http://wordpress.org/extend/plugins/wp-mailup/changelog http://www.securityfocus.com/bid/58467 https://exchange.xforce.ibmcloud.com/vulnerabilities/82847 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.4EPSS: 8%CPEs: 2EXPL: 3CVE-2013-2501 – Terillion Reviews < 1.2 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-2501
Cross-site scripting (XSS) vulnerability in the Terillion Reviews plugin before 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ProfileId field. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en el plugin Terillion Reviews antes de v1.2 para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del campo ProfileID. • https://www.exploit-db.com/exploits/38373 http://archives.neohapsis.com/archives/bugtraq/2013-03/0055.html http://osvdb.org/91123 http://packetstormsecurity.com/files/120730/WordPress-Terillion-Reviews-Cross-Site-Scripting.html http://plugins.trac.wordpress.org/changeset/683838/terillion-reviews http://wordpress.org/extend/plugins/terillion-reviews/changelog http://www.securityfocus.com/bid/58415 https://exchange.xforce.ibmcloud.com/vulnerabilities/82727 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 45EXPL: 0CVE-2013-0734 – Mingle Forum <= 1.0.33.3 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-0734
Multiple cross-site scripting (XSS) vulnerabilities in the Mingle Forum plugin before 1.0.34 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) search_words parameter in a search action to wpf.class.php or (2) togroupusers parameter in an add_user_togroup action to fs-admin/fs-admin.php. Múltiples vulnerabilidades de XSS en el plugin Mingle Forum anterior a 1.0.34 para WordPress permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través del (1) parámetro search_words en una acción de búsqueda hacia wpf.class.php o (2) parámetro togroupusers en una acción add_user_togroup hacia fs-admin/fs-admin.php. • http://osvdb.org/90432 http://osvdb.org/90433 http://secunia.com/advisories/52167 http://secunia.com/secunia_research/2013-3 http://www.securityfocus.com/bid/58059 https://exchange.xforce.ibmcloud.com/vulnerabilities/82187 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 45EXPL: 0CVE-2013-0735 – Mingle Forum <= 1.0.33.3 - SQL Injection
https://notcve.org/view.php?id=CVE-2013-0735
Multiple SQL injection vulnerabilities in wpf.class.php in the Mingle Forum plugin before 1.0.34 for WordPress allow remote attackers to execute arbitrary SQL commands via the id parameter in a viewtopic (1) remove_post, (2) sticky, or (3) closed action or (4) thread parameter in a postreply action to index.php. Múltiples vulnerabilidades de inyección SQL en wpf.class.php en el plugin Mingle Forum anterior a 1.0.34 para WordPress permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro id en un viewtopic (1) remove_post, (2) sticky o (3) closed action o un parámetro (4) thread en una acción postreply hacia index.php. • http://osvdb.org/90434 http://secunia.com/advisories/52167 http://secunia.com/secunia_research/2013-4 http://www.securityfocus.com/bid/58059 https://exchange.xforce.ibmcloud.com/vulnerabilities/82188 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 3%CPEs: 53EXPL: 4CVE-2013-1409 – CommentLuv < 2.92.4 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-1409
Cross-site scripting (XSS) vulnerability in the CommentLuv plugin before 2.92.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _ajax_nonce parameter to wp-admin/admin-ajax.php. Vulnerabilidad de XSS en el plugin CommentLuv anterior a 2.92.4 para WordPress permite a atacantes remotos inyectar script Web o HTML arbitrarios a través del parámetro _ajax_nonce hacia wp-admin/admin-ajax.php. The CommentLuv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_ajax_nonce' parameter in versions up to 2.92.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. WordPress CommentLuv version 2.92.3 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/38296 http://archives.neohapsis.com/archives/bugtraq/2013-02/0031.html http://osvdb.org/89925 http://packetstormsecurity.com/files/120090/WordPress-CommentLuv-2.92.3-Cross-Site-Scripting.html http://wordpress.org/plugins/commentluv/changelog https://www.htbridge.com/advisory/HTB23138 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •