CVSS: 5.2EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3481 – Counter Box < 1.2.4 - Counter Deletion via CSRF
https://notcve.org/view.php?id=CVE-2024-3481
The Counter Box WordPress plugin before 1.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via CSRF attacks El complemento Counter Box de WordPress anterior a 1.2.4 no tiene comprobaciones CSRF en algunas acciones masivas, lo que podría permitir a los atacantes hacer que los administradores que han iniciado sesión realicen acciones no deseadas, como eliminar contadores mediante ataques CSRF. The Counter Box – WordPress plugin for countdown, timer, counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the counter-box page. This makes it possible for unauthenticated attackers to delete counters via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/0c441293-e7f9-4634-8f3a-09925cd2b696 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3477 – Popup Box < 2.2.7 - Popup Deletion via CSRF
https://notcve.org/view.php?id=CVE-2024-3477
The Popup Box WordPress plugin before 2.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via CSRF attacks El complemento Popup Box de WordPress anterior a 2.2.7 no tiene comprobaciones CSRF en algunas acciones masivas, lo que podría permitir a los atacantes hacer que los administradores registrados realicen acciones no deseadas, como eliminar ventanas emergentes mediante ataques CSRF. The Popup Box – new WordPress popup plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.6. This is due to missing or incorrect nonce validation on the popup-box page. This makes it possible for unauthenticated attackers to delete pop-ups via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/ca5e59e6-c500-4129-997b-391cdf9aa9c7 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3478 – Herd Effects < 5.2.7 - Effect Deletion via CSRF
https://notcve.org/view.php?id=CVE-2024-3478
The Herd Effects WordPress plugin before 5.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting effects via CSRF attacks El complemento Herd Effects de WordPress anterior a 5.2.7 no tiene comprobaciones CSRF en algunas acciones masivas, lo que podría permitir a los atacantes hacer que los administradores que han iniciado sesión realicen acciones no deseadas, como eliminar efectos mediante ataques CSRF. The Herd Effects – fake notifications and social proof plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.6. This is due to missing or incorrect nonce validation on the mwp-herd-effect page. This makes it possible for unauthenticated attackers to delete effects via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/09f1a696-86ee-47cc-99de-57cfd2a3219d • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2405 – Float menu < 6.0.1 - Menu Deletion via CSRF
https://notcve.org/view.php?id=CVE-2024-2405
The Float menu WordPress plugin before 6.0.1 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack. El complemento Float menu de WordPress anterior a 6.0.1 no tiene verificación CSRF en sus acciones masivas, lo que podría permitir a los atacantes hacer que el administrador registrado elimine un menú arbitrario a través de un ataque CSRF. The Float menu – awesome floating side menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing or incorrect nonce validation on the float-menu function. This makes it possible for unauthenticated attackers to delete menu items via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/c42ffa15-6ebe-4c70-9e51-b95bd05ea04d • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1958 – WPB Show Core < 2.7 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-1958
The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users El complemento wpb-show-core de WordPress anterior a 2.7 no sanitiza ni escapa un parámetro antes de devolverlo a la página, lo que genera un cross-site scripting reflejado que podría usarse contra usuarios con privilegios elevados, como administradores o usuarios no autenticados. The WPB Show Core plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'file' parameter in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/8be4ebcf-2b42-4b88-89a0-2df6dbf00b55 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •