CVSS: 10.0EPSS: 50%CPEs: 1EXPL: 10CVE-2023-3460 – Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-3460
29 Jun 2023 — The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. ... The Ultimate Member plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.6. • https://github.com/gbrsh/CVE-2023-3460 • CWE-266: Incorrect Privilege Assignment •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23796 – WordPress Form Builder Plugin <= 1.9.9.0 is vulnerable to CSV Injection
https://notcve.org/view.php?id=CVE-2023-23796
28 Jun 2023 — The Form Builder plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.9.9.0. • https://patchstack.com/database/vulnerability/contact-form-add/wordpress-form-builder-create-responsive-contact-forms-plugin-1-9-9-0-csv-injection-vulnerability? • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 5CVE-2023-2982 – WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.6.4 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2023-2982
28 Jun 2023 — The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. ... WordPress Social Login and Register plugin versions 7.6.4 and below suffer from an authentication bypass vulnerability. • https://packetstorm.news/files/id/183007 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46860 – WordPress Short URL Plugin <= 1.6.4 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2022-46860
28 Jun 2023 — The Short URL plugin for WordPress is vulnerable to SQL Injection via the 'idLink' parameter of the reset_link() function called via an AJAX action in versions up to, and including, 1.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://patchstack.com/database/vulnerability/shorten-url/wordpress-short-url-plugin-1-6-4-sql-injection? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45828 – WordPress NOO Timetable Plugin <= 2.1.3 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-45828
27 Jun 2023 — The NOO Timetable plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.3. • https://patchstack.com/database/vulnerability/noo-timetable/wordpress-noo-timetable-responsive-calendar-auto-sync-wordpress-plugin-plugin-2-1-3-cross-site-request-forgery-csrf? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36517 – WordPress WP Abstracts Plugin <= 2.6.2 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-36517
27 Jun 2023 — The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.2. • https://patchstack.com/database/vulnerability/wp-abstracts-manuscripts-manager/wordpress-wp-abstracts-plugin-2-6-2-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36522 – WordPress Quiz Expert – Easy Quiz Maker, Exam and Test Manager Plugin <= 1.5.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-36522
27 Jun 2023 — The Quiz Expert – Easy Quiz Maker, Exam and Test Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.0. • https://patchstack.com/database/vulnerability/quiz-expert/wordpress-quiz-expert-easy-quiz-maker-exam-and-test-manager-plugin-1-5-0-cross-site-request-forgery-csrf? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36529 – WordPress Houzez CRM Plugin <= 1.3.4 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-36529
27 Jun 2023 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Favethemes Houzez - Real Estate WordPress Theme allows SQL Injection.This issue affects Houzez - Real Estate WordPress Theme: from n/a through 1.3.4. Neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en Favethemes Houzez - Real Estate WordPress Theme permite la inyección de SQL. Este problema afecta a Houzez - Real Estate... • https://patchstack.com/database/vulnerability/houzez-crm/wordpress-houzez-crm-plugin-1-3-3-sql-injection? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3179 – POST SMTP Mailer < 2.5.7 - Account Takeover via CSRF
https://notcve.org/view.php?id=CVE-2023-3179
26 Jun 2023 — The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability resend an email to an arbitrary address (for example a password reset email could be resent to an attacker controlled email, and allow them to take over an account). The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.6. • https://wpscan.com/vulnerability/542caa40-b199-4397-90bb-4fdb693ebb24 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2329 – WooCommerce Google Sheet Connector < 1.3.6 - Access Code Update via CSRF
https://notcve.org/view.php?id=CVE-2023-2329
26 Jun 2023 — The WooCommerce Google Sheet Connector WordPress plugin before 1.3.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack The WooCommerce Google Sheet Connector plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.9. • https://wpscan.com/vulnerability/6e58f099-e8d6-49e4-9f02-d6a556c5b1d2 • CWE-352: Cross-Site Request Forgery (CSRF) •