CVE-2020-29171 – All In One WP Security & Firewall <= 4.4.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-29171
Cross-site scripting (XSS) vulnerability in admin/wp-security-blacklist-menu.php in the Tips and Tricks HQ All In One WP Security & Firewall (all-in-one-wp-security-and-firewall) plugin before 4.4.6 for WordPress. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo admin/wp-security-blacklist-menu.php en el plugin Tips and Tricks HQ All In One WP Security & Firewall (all-in-one-wp-security-and-firewall) versiones anteriores a 4.4.6 para WordPress • https://github.com/Arsenal21/all-in-one-wordpress-security/commit/4130906bc049b195467b4fc6980d6d304fbe28d5 https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#developers https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-5650 – Simple Download Monitor <= 3.8.8 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-5650
Cross-site scripting vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors. Una vulnerabilidad de tipo Cross-site scripting en Simple Download Monitor versiones 3.8.8 y anteriores, permite a atacantes remotos inyectar script arbitrario por medio de vectores no especificados The Simple Download Monitor plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping on the User-Agent header. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser. • https://jvn.jp/en/jp/JVN31425618/index.html https://wordpress.org/plugins/simple-download-monitor • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-5651 – Simple Download Monitor <= 3.8.8 - SQL Injection
https://notcve.org/view.php?id=CVE-2020-5651
SQL injection vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to execute arbitrary SQL commands via a specially crafted URL. Una vulnerabilidad de inyección de SQL en Simple Download Monitor versiones 3.8.8 y anteriores, permite a atacantes remotos ejecutar comandos SQL arbitrarios por medio de una URL especialmente diseñada The Simple Download Monitor plugin for WordPress is vulnerable to generic SQL Injection in versions up to, and including, 3.8.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database if an authenticated user clicks on a malicious URL. • https://jvn.jp/en/jp/JVN31425618/index.html https://wordpress.org/plugins/simple-download-monitor • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2016-10887 – All In One WP Security & Firewall <= 4.0.8 - SQL Injection
https://notcve.org/view.php?id=CVE-2016-10887
The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPress has multiple SQL injection issues. El plugin all-in-one-wp-security-and-firewall versiones anteriores a 4.0.9 para WordPress, presenta múltiples problemas de inyección SQL. • https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2019-5993 – Category Specific RSS Feed Subscription <= 2.0 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-5993
Cross-site request forgery (CSRF) vulnerability in Category Specific RSS feed Subscription version v2.0 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en la fuente Category Specific RSS versión v2.0 y anteriores, permite a atacantes remotos secuestrar la autenticación de administradores por medio de vectores no especificados. • http://jvn.jp/en/jp/JVN92510087/index.html • CWE-352: Cross-Site Request Forgery (CSRF) •