CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 2CVE-2022-1442 – Metform Elementor Contact Form Builder <= 2.1.3 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2022-1442
The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3. El plugin Metform para WordPress es vulnerable a una divulgación de información confidencial debido a un control de acceso inapropiado en el archivo ~/core/forms/action.php que puede ser aprovechado por un atacante no autenticado para visualizar todas las claves y secretos de las API de terceros integradas como la de PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA y muchas más, en versiones hasta la 2.1.3 incluyéndola • https://github.com/RandomRobbieBF/CVE-2022-1442 https://gist.github.com/Xib3rR4dAr/6e6c6e5fa1f8818058c7f03de1eda6bf https://plugins.trac.wordpress.org/changeset/2711944/metform/trunk/core/forms/action.php https://www.wordfence.com/threat-intel/vulnerabilities/id/04a46249-b5b2-4082-b520-cdc4a1370bb1?source=cve • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24258 – ElementsKit and ElementsKit Pro < 2.2.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2021-24258
The Elements Kit Lite and Elements Kit Pro WordPress Plugins before 2.2.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. Los Plugins de WordPress Elements Kit Lite y Elements Kit Pro versiones anteriores a 2.2.0, presentan una serie de widgets que son vulnerables a un ataque de tipo Cross-Site Scripting (XSS) almacenado por parte de usuarios menos privilegiados, como los contribuyentes, todo por medio de un método similar • https://wpscan.com/vulnerability/47b47b86-899b-4de3-8a3c-2d5d1774298f https://www.wordfence.com/blog/2021/04/recent-patches-rock-the-elementor-ecosystem • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •