CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38383 – WordPress Language plugin <= 1.2.1 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-38383
20 Jul 2023 — Missing Authorization vulnerability in OnTheGoSystems Language allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Language: from n/a through 1.2.1. The Language plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions. • https://patchstack.com/database/wordpress/plugin/wordpress-language/vulnerability/wordpress-wordpress-language-plugin-1-2-1-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35098 – WordPress NextGen GalleryView Plugin <= 0.5.5 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-35098
15 Jun 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in John Brien WordPress NextGen GalleryView plugin <= 0.5.5 versions. The NextGen GalleryView plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 0.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on... • https://patchstack.com/database/vulnerability/wordpress-nextgen-galleryview/wordpress-wordpress-nextgen-galleryview-plugin-0-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34029 – WordPress Disable WordPress Update Notifications Plugin <= 2.3.3 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-34029
30 May 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Prem Tiwari Disable WordPress Update Notifications and auto-update Email Notifications plugin <= 2.3.3 versions. The Disable WordPress Update Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.3. This is due to missing or incorrect nonce validation on the dwnSettings() function. This makes it possible for unauthenticated attackers to modify the plugin's settings, via a forged request granted ... • https://patchstack.com/database/vulnerability/disable-update-notifications/wordpress-disable-wordpress-update-notifications-and-auto-update-email-notifications-plugin-2-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34185 – WordPress NextGen GalleryView Plugin <= 0.5.5 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-34185
30 May 2023 — Cross-Site Request Forgery (CSRF) vulnerability in John Brien WordPress NextGen GalleryView plugin <= 0.5.5 versions. The NextGen GalleryView plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.5.5. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this function via a forged request granted they can trick a site administrator into performing an action such as clicking o... • https://patchstack.com/database/vulnerability/wordpress-nextgen-galleryview/wordpress-wordpress-nextgen-galleryview-plugin-0-5-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45823 – WordPress Video Contest WordPress Plugin Plugin <= 3.2 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-45823
25 May 2023 — Cross-Site Request Forgery (CSRF) vulnerability in GalleryPlugins Video Contest WordPress plugin <= 3.2 versions. The Video Contest WordPress Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to perform unauthorized actions on behalf of a site's administrator via a forged request granted they can trick a site administrator into performing an ... • https://patchstack.com/database/vulnerability/video-contest/wordpress-video-contest-wordpress-plugin-plugin-3-2-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47174 – WordPress Performance Lab Plugin <= 2.2.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47174
18 May 2023 — Cross-Site Request Forgery (CSRF) vulnerability in WordPress Performance Team Performance Lab plugin <= 2.2.0 versions. The Performance Lab plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the dismiss-wp-pointer AJAX action. This makes it possible for unauthenticated attackers to dismiss new feature pointers via a forged request granted they can trick a site administrator into performing an actio... • https://patchstack.com/database/vulnerability/performance-lab/wordpress-performance-lab-plugin-2-2-0-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 85%CPEs: 22EXPL: 1CVE-2023-2745 – WordPress Core < 6.2.1 - Directory Traversal
https://notcve.org/view.php?id=CVE-2023-2745
16 May 2023 — WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. Several security vulnerabilities have been discovered in Wordpress, a popular content management framework, which may lead to... • https://packetstorm.news/files/id/172426 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28775 – WordPress Yoast SEO Premium plugin <= 20.4 - Unauthenticated Zapier API Key Reset vulnerability
https://notcve.org/view.php?id=CVE-2023-28775
09 May 2023 — Missing Authorization vulnerability in Yoast Yoast SEO Premium.This issue affects Yoast SEO Premium: from n/a through 20.4. Vulnerabilidad de autorización faltante en Yoast Yoast SEO Premium. Este problema afecta a Yoast SEO Premium: desde n/a hasta 20.4. The Yoast SEO Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in versions up to, and including, 20.4. This makes it possible for unauthenticated attackers to disconnect a Zapier API Key. • https://patchstack.com/database/vulnerability/wordpress-seo-premium/wordpress-yoast-seo-premium-plugin-20-4-unauthenticated-zapier-api-key-reset-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47161 – WordPress Health Check & Troubleshooting Plugin <= 1.5.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47161
31 Mar 2023 — Cross-Site Request Forgery (CSRF) vulnerability in The WordPress.Org community Health Check & Troubleshooting plugin <= 1.5.1 versions. The Health Check & Troubleshooting plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on the health_check_troubleshoot_get_captures function. This makes it possible for unauthenticated attackers to enable or disable plugins and themes, dismiss notices, or disable trou... • https://patchstack.com/database/vulnerability/health-check/wordpress-health-check-troubleshooting-plugin-1-5-1-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30705 – WordPress WordPress Ping Optimizer Plugin <= 2.35.1.2.3 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-30705
27 Mar 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Pankaj Jha WordPress Ping Optimizer plugin <= 2.35.1.2.3 versions. Cross-Site Request Forgery (CSRF) vulnerability in Pankaj Jha WordPress Ping Optimizer plugin <= 2.35.1.2.3 versions. • https://patchstack.com/database/vulnerability/wordpress-ping-optimizer/wordpress-ping-optimizer-plugin-2-35-1-2-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •