CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24837 – Cross-Site Request Forgery (CSRF) vulnerability in FG PrestaShop, FG Drupal and FG Joomla WordPress plugins
https://notcve.org/view.php?id=CVE-2024-24837
Cross-Site Request Forgery (CSRF) vulnerability in Frédéric GILLES FG PrestaShop to WooCommerce, Frédéric GILLES FG Drupal to WordPress, Frédéric GILLES FG Joomla to WordPress.This issue affects FG PrestaShop to WooCommerce: from n/a through 4.44.3; FG Drupal to WordPress: from n/a through 3.67.0; FG Joomla to WordPress: from n/a through 4.15.0. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Frédéric GILLES FG PrestaShop a WooCommerce, Frédéric GILLES FG Drupal a WordPress, Frédéric GILLES FG Joomla a WordPress. Este problema afecta a FG PrestaShop a WooCommerce: desde n/a hasta 4.44.3; FG Drupal a WordPress: desde n/a hasta 3.67.0; FG Joomla a WordPress: desde n/a hasta 4.15.0. The FG Drupal to WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.67.0. This is due to missing or incorrect nonce validation on the ajax_importer() function. • https://patchstack.com/database/vulnerability/fg-drupal-to-wp/wordpress-fg-drupal-to-wordpress-plugin-3-67-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve https://patchstack.com/database/vulnerability/fg-joomla-to-wordpress/wordpress-fg-joomla-to-wordpress-plugin-4-15-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve https://patchstack.com/database/vulnerability/fg-prestashop-to-woocommerce/wordpress-fg-prestashop-to-woocommerce-plugin-4-44-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6783 – WolfNet IDX for WordPress <= 1.19.1 - Authenticated (Admin+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6783
The WolfNet IDX for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-7197 – Marketing Twitter Bot <= 1.11 - Cross-Site Request Forgery to Settings Update and Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-7197
The Marketing Twitter Bot plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.11. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52220 – WordPress MonsterInsights plugin <= 8.21.0 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-52220
Missing Authorization vulnerability in MonsterInsights Google Analytics by Monster Insights.This issue affects Google Analytics by Monster Insights: from n/a through 8.21.0. Vulnerabilidad de autorización faltante en MonsterInsights Google Analytics de Monster Insights. Este problema afecta a Google Analytics de Monster Insights: desde n/a hasta 8.21.0. The Google Analytics by Monster Insights plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 8.21.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action. • https://patchstack.com/database/vulnerability/google-analytics-for-wordpress/wordpress-monsterinsights-plugin-8-21-0-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-31211 – Remote Code Execution in `WP_HTML_Token`
https://notcve.org/view.php?id=CVE-2024-31211
WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected. WordPress es una plataforma de publicación abierta para la Web. • https://github.com/Abdurahmon3236/-CVE-2024-31211 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m257-q4m5-j653 • CWE-502: Deserialization of Untrusted Data •