CVE-2022-47613 – WordPress AI ChatBot Plugin <= 4.3.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-47613
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in QuantumCloud AI ChatBot plugin <= 4.3.0 versions. The ChatBot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘qlcd_wp_chatbot_email_sub’ parameter in versions up to, and including, 4.3.0 due to insufficient input sanitization and output escaping. This makes it possible for administrator-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/chatbot/wordpress-chatbot-plugin-4-3-0-multiple-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-23981 – WordPress Conversational Forms for ChatBot Plugin <= 1.1.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23981
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in QuantumCloud Conversational Forms for ChatBot plugin <= 1.1.6 versions. The Conversational Forms for ChatBot for WordPress is vulnerable to Stored Cross-Site Scripting via a form name in versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrative-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/conversational-forms/wordpress-conversational-forms-for-chatbot-plugin-1-1-6-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-3074 – Slider Hero < 8.4.4 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-3074
The Slider Hero WordPress plugin before 8.4.4 does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks. El plugin Slider Hero de WordPress versiones anteriores a 8.4.4, no escapa del nombre del slider, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting. The Slider Hero plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider title parameter in versions up to, and including, 8.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/90ebaedc-89df-413f-b22e-753d4dd5e1c3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-0747 – Infographic Maker - iList < 4.3.8 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2022-0747
The Infographic Maker WordPress plugin before 4.3.8 does not validate and escape the post_id parameter before using it in a SQL statement via the qcld_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection El plugin Infographic Maker de WordPress versiones anteriores a 4.3.8, no comprueba ni escapa del parámetro post_id antes de usarlo en una sentencia SQL por medio de la acción AJAX qcld_upvote_action (disponible para usuarios autenticados y no autenticados), conllevando a una inyección SQL no autenticada • https://plugins.trac.wordpress.org/changeset/2684336 https://wpscan.com/vulnerability/a8575322-c2cf-486a-9c37-71a22167aac3 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2022-0760 – Simple Link Directory < 7.7.2 - Unauthenticated SQL injection
https://notcve.org/view.php?id=CVE-2022-0760
The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection El plugin Simple Link Directory de WordPress versiones anteriores a 7.7.2 no comprueba ni escapa el parámetro post_id antes de usarlo en una sentencia SQL por medio de la acción AJAX qcopd_upvote_action (disponible para usuarios autenticados y no autenticados), conllevando a una inyección SQL no autenticada The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection. • https://plugins.trac.wordpress.org/changeset/2684915 https://wpscan.com/vulnerability/1c83ed73-ef02-45c0-a9ab-68a3468d2210 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •