CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-33960 – WordPress Social Share Buttons by Supsystic plugin <= 2.2.3 - Multiple Authenticated SQL Injection (SQLi) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-33960
Multiple Authenticated (subscriber or higher user role) SQL Injection (SQLi) vulnerabilities in Social Share Buttons by Supsystic plugin <= 2.2.3 at WordPress. Múltiples vulnerabilidades de inyección SQL (SQLi) Autenticado (rol de suscriptor o usuario superior) en el plugin Social Share Buttons by Supsystic versiones anteriores a 2.2.3 incluyéndola, en WordPress The Social Share Buttons by Supsystic plugin for WordPress is vulnerable to SQL Injection via several unknown parameters in versions up to, and including, 2.2.3 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber level permissions and above to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/social-share-buttons-by-supsystic/wordpress-social-share-buttons-by-supsystic-plugin-2-2-3-multiple-authenticated-sql-injection-sqli-vulnerabilities https://wordpress.org/plugins/social-share-buttons-by-supsystic/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27235 – WordPress Social Share Buttons by Supsystic plugin <= 2.2.3 - Multiple Broken Access Control vulnerabilities
https://notcve.org/view.php?id=CVE-2022-27235
Multiple Broken Access Control vulnerabilities in Social Share Buttons by Supsystic plugin <= 2.2.3 at WordPress. Múltiples vulnerabilidades de Control de Acceso Roto en el plugin Social Share Buttons by Supsystic versiones anteriores a 2.2.3 en WordPress The Social Share Buttons by Supsystic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on various functions in versions up to, and including, 2.2.3. This makes it possible for authenticated attackers with subscriber level permissions and above to perform a wide variety of actions such as modifying the plugin's settings. • https://patchstack.com/database/vulnerability/social-share-buttons-by-supsystic/wordpress-social-share-buttons-by-supsystic-plugin-2-2-3-multiple-broken-access-control-vulnerabilities https://wordpress.org/plugins/social-share-buttons-by-supsystic/#developers • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1653 – Social Share Buttons by Supsystic < 2.2.4 - Multiple CSRF
https://notcve.org/view.php?id=CVE-2022-1653
The Social Share Buttons by Supsystic WordPress plugin before 2.2.4 does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks. El plugin Social Share Buttons by Supsystic de WordPress versiones anteriores a 2.2.4, no lleva a cabo comprobaciones de tipo CSRF en sus endpoints ajax y páginas de administración, lo que permite a un atacante engañar a cualquier usuario con sesión iniciada para manipular o cambiar la configuración del plugin, así como crear, eliminar y renombrar proyectos y redes • https://wpscan.com/vulnerability/52eff451-8ce3-4ac4-b530-3196aa82db48 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-36890 – WordPress Social Share Buttons by Supsystic plugin <= 2.2.2 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2021-36890
Cross-Site Request Forgery (CSRF) vulnerability in Social Share Buttons by Supsystic plugin <= 2.2.2 at WordPress. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin Social Share Buttons by Supsystic <= 2.2.2 en WordPress Cross-Site Request Forgery (CSRF) vulnerability in Social Share Buttons by Supsystic plugin <= 2.2.3 at WordPress. • https://patchstack.com/database/vulnerability/social-share-buttons-by-supsystic/wordpress-social-share-buttons-by-supsystic-plugin-2-2-2-cross-site-request-forgery-csrf-vulnerability https://wordpress.org/plugins/social-share-buttons-by-supsystic • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 1CVE-2022-0424 – Popup by Supsystic < 1.10.9 - Unauthenticated Subscriber Email Addresses Disclosure
https://notcve.org/view.php?id=CVE-2022-0424
The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users El plugin Popup by Supsystic de WordPress versiones hasta 1.10.9, no dispone de autenticación y autorización en una acción AJAX, permitiendo a atacantes no autenticados llamarlo y obtener las direcciones de correo electrónico de los usuarios suscritos • https://wpscan.com/vulnerability/1e4593fd-51e5-43ca-a244-9aaef3804b9f • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-306: Missing Authentication for Critical Function •