CVE-2024-7713 – AI Chatbot with ChatGPT by AYS <= 2.0.9 - Unauthenticated OpenAI Key Disclosure
https://notcve.org/view.php?id=CVE-2024-7713
The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 discloses the Open AI API Key, allowing unauthenticated users to obtain it The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.9 via the ays_chatgpt_admin_ajax AJAX action. This makes it possible for unauthenticated attackers to retrieve the OpenAI key connected to the site. • https://wpscan.com/vulnerability/061eab97-4a84-4738-a1e8-ef9a1261ff73 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2024-7892 – adstxt Plugin <= 1.0.0 - Settings Update via CSRF
https://notcve.org/view.php?id=CVE-2024-7892
The adstxt Plugin WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack The adstxt Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the adstxtPageContent() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/c07a4992-c9a1-46a4-9a52-9e38b6d15440 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2024-7878 – WP ULike < 4.7.4 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-7878
The WP ULike WordPress plugin before 4.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The WP ULike – The Ultimate Engagement Toolkit for Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/9166cf91-69e5-4786-a6a9-816db7d47b07 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-6845 – SmartSearchWP < 2.4.6 - Unauthenticated OpenAI Key Disclosure
https://notcve.org/view.php?id=CVE-2024-6845
The Chatbot with ChatGPT WordPress plugin before 2.4.6 does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key The Chatbot with ChatGPT WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wdgpt_retrieve_api_key() function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to retrieve an OpenAI key. • https://wpscan.com/vulnerability/cfaaa843-d89e-42d4-90d9-988293499d26 • CWE-862: Missing Authorization •
CVE-2024-7846 – YITH WooCommerce Ajax Search < 2.7.1 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-7846
YITH WooCommerce Ajax Search is vulnerable to a XSS vulnerability due to insufficient sanitization of user supplied block attributes. This makes it possible for Contributors+ attackers to inject arbitrary scripts. The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/86f7a136-d09b-4637-97ae-2cdaaff172a3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •