CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36345 – WordPress Download Plugin Plugin <= 2.0.4 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-36345
Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Plugin <= 2.0.4 versions. The Download Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.4. This is due to missing nonce validation on the dpwap_plugin_download_action, dpwap_theme_download, and dpwap_plugin_multiple_download_func functions. This makes it possible for unauthenticated attackers toforce an administrator into downloading plugin zips, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/download-plugin/wordpress-download-plugin-2-0-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38062 – WordPress Download Theme Plugin <= 1.0.9 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-38062
Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Theme plugin <= 1.0.9 versions. The Download Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.9. This is due to missing or incorrect nonce validation on the dtwap_download() function. This makes it possible for unauthenticated attackers to download theme zips on others computers, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/download-theme/wordpress-download-theme-plugin-1-0-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35884 – WordPress EventPrime Plugin <= 3.0.5 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-35884
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in EventPrime plugin <= 3.0.5 versions. The EventPrime plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/eventprime-event-calendar-management/wordpress-eventprime-plugin-3-0-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33326 – WordPress EventPrime Plugin <= 2.8.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-33326
Unauth. Reflected (XSS) Cross-Site Scripting (XSS) vulnerability in EventPrime plugin <= 2.8.6 versions. The EventPrime plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/eventprime-event-calendar-management/wordpress-eventprime-plugin-2-8-6-reflected-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2499 – RegistrationMagic <= 5.2.1.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2023-2499
The RegistrationMagic plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.2.1.0. This is due to insufficient verification on the user being supplied during a Google social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. • https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/5.2.0.4/services/class_rm_user_services.php#L791 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2912481%40custom-registration-form-builder-with-submission-manager&new=2912481%40custom-registration-form-builder-with-submission-manager&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/87ec5542-b6e7-4b18-a3ec-c258e749d32e?source=cve • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •