CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0641 – Popup Like box < 3.6.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0641
The Popup Like box WordPress plugin before 3.6.1 does not sanitize and escape the ays_fb_tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. El plugin Popup Like box de WordPress versiones anteriores a 3.6.1, no sanea y escapa del parámetro ays_fb_tab antes de devolverlo en una página de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/0a9830df-5f5d-40a3-9841-40994275136f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-26256 – WordPress Survey Maker plugin <= 2.0.6 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-26256
Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered in Survey Maker WordPress plugin (versions <= 2.0.6). Se ha detectado una vulnerabilidad de tipo Cross-Site Scripting (XSS) no autenticada en el plugin Survey Maker de WordPress (versiones anteriores a 2.0.6 incluyéndola) • https://patchstack.com/database/vulnerability/survey-maker/wordpress-survey-maker-plugin-2-0-6-unauthenticated-stored-cross-site-scripting-xss-vulnerability https://wordpress.org/plugins/survey-maker/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 69%CPEs: 1EXPL: 3CVE-2021-24931 – Secure Copy Content Protection and Content Locking < 2.8.2 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24931
The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection. El plugin Secure Copy Content Protection and Content Locking de WordPress versiones anteriores a 2.8.2, no escapa del parámetro sccp_id de la acción AJAX ays_sccp_results_export_file (disponible para usuarios autenticados y no autenticados) antes de usarlo en una sentencia SQL, conllevando a una inyección SQL WordPress Secure Copy Content Protection and Content Locking plugin version 2.8.1 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/50733 http://packetstormsecurity.com/files/165946/WordPress-Secure-Copy-Content-Protection-And-Content-Locking-2.8.1-SQL-Injection.html https://wpscan.com/vulnerability/1cd52d61-af75-43ed-9b99-b46c471c4231 https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24931/README.md https://kazet.cc/2022/02/03/fuzzing-wordpress-plugins.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24651 – Poll Maker < 3.4.2 - Unauthenticated Time Based SQL Injection
https://notcve.org/view.php?id=CVE-2021-24651
The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash. El plugin Poll Maker de WordPress versiones anteriores a 3.4.2, permite a usuarios no autenticados llevar a cabo una inyección SQL por medio de la acción ays_finish_poll AJAX. Mientras que el resultado no se revela en la respuesta, es posible usar un ataque de tiempo para exfiltrar datos como el hash de la contraseña • https://wpscan.com/vulnerability/24f933b0-ad57-4ed3-817d-d637256e2fb1 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-203: Observable Discrepancy •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-34635 – Poll Maker <= 3.2.8 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-34635
The Poll Maker WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the mcount parameter found in the ~/admin/partials/settings/poll-maker-settings.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.2.8. El plugin Poll Maker WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Reflejado por medio del parámetro mcount encontrado en el archivo ~/admin/partials/settings/poll-maker-settings.php que permite a atacantes inyectar scripts web arbitrarios, en versiones hasta 3.2.8 incluyéndola • https://plugins.trac.wordpress.org/browser/poll-maker/tags/3.2.8/admin/partials/settings/poll-maker-settings.php#L249 https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34635 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •