CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24725 – Comment Link Remove and Other Comment Tools < 2.1.6 - Arbitrary Comment Deletion via CSRF
https://notcve.org/view.php?id=CVE-2021-24725
The Comment Link Remove and Other Comment Tools WordPress plugin before 2.1.6 does not have CSRF check in its 'Delete comments easily', which could allow attackers to make logged in admin delete arbitrary comments El plugin Comment Link Remove and Other Comment Tools de WordPress versiones anteriores a 2.1.6, no presenta una comprobación de tipo CSRF en su acción "Delete comments easily", lo que podría permitir a atacantes hacer que el administrador conectado elimine comentarios arbitrarios • https://wpscan.com/vulnerability/01483284-57f5-4ae9-b5f1-ae26b623571f https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=29225 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24506 – Slider Hero < 8.2.7 - Contributor+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24506
The Slider Hero with Animation, Video Background & Intro Maker WordPress plugin before 8.2.7 does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection. El plugin de WordPress Slider Hero with Animation, Video Background & Intro Maker versiones anteriores a 8.2.7, no sanea o escapa del atributo id de su shortcode hero-button antes de usarlo en una sentencia SQL, permitiendo a usuarios con un rol tan bajo como Contributor llevar a cabo una inyección SQL. • https://wpscan.com/vulnerability/52c8755c-46b9-4383-8c8d-8816f03456b0 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4424 – Slider Hero <= 8.2.0 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4424
The Slider Hero plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.2.0. This is due to missing or incorrect nonce validation on the qc_slider_hero_duplicate() function. This makes it possible for unauthenticated attackers to duplicate slides via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13463 – Simple Link Directory < 7.3.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-13463
An XSS vulnerability in qcopd-shortcode-generator.php in the Simple Link Directory plugin before 7.3.5 for WordPress allows remote attackers to inject arbitrary web script or HTML, because esc_html is not called for the "echo get_the_title()" or "echo $term->name" statement. Una vulnerabilidad de tipo XSS en el archivo qcopd-shortcode-generator.php en el plugin Simple Link Directory versiones anteriores a 7.3.5 para WordPress, permite a atacantes remotos inyectar un script web o HTML arbitrario, porque esc_html no es llamado para la sentencia de "echo get_the_title()" o "echo $term->name". • https://plugins.trac.wordpress.org/changeset?old_path=%2Fsimple-link-directory&old=2111131&new_path=%2Fsimple-link-directory&new=2111132&sfp_email=&sfph_mail= https://wordpress.org/plugins/simple-link-directory/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •