CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0780 – Enjoy Social Feed <= 6.2.2 - Subscriber+ Plugin Database Reset
https://notcve.org/view.php?id=CVE-2024-0780
The Enjoy Social Feed plugin for WordPress website WordPress plugin through 6.2.2 does not have authorisation when resetting its database, allowing any authenticated users, such as subscriber to perform such action El complemento Enjoy Social Feed plugin for WordPress website de WordPress hasta 6.2.2 no tiene autorización para restablecer su base de datos, lo que permite que cualquier usuario autenticado, como un suscriptor, realice dicha acción. The Enjoy Social Feed plugin for WordPress website plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check when accessing the enjoyinstagram_plugin_options page in all versions up to, and including, 6.2.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to reset the plugin's database. • https://wpscan.com/vulnerability/be3045b1-72e6-450a-8dd2-4702a9328447 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0779 – Enjoy Social Feed <= 6.2.2 - Unauthenticated Arbitrary Instagram Account Unlinking
https://notcve.org/view.php?id=CVE-2024-0779
The Enjoy Social Feed plugin for WordPress website WordPress plugin through 6.2.2 does not have authorisation and CSRF in various function hooked to admin_init, allowing unauthenticated users to call them and unlink arbitrary users Instagram Account for example El complemento Enjoy Social Feed plugin for WordPress website de WordPress hasta 6.2.2 no tiene autorización ni CSRF en varias funciones vinculadas a admin_init, lo que permite a usuarios no autenticados llamarlos y desvincular cuentas de Instagram de usuarios arbitrarios, por ejemplo. The Enjoy Social Feed plugin for WordPress website plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions hooked via admin_init in all versions up to, and including, 6.2.2. This makes it possible for unauthenticated attackers to perform actions like unlinking a users instagram account. • https://wpscan.com/vulnerability/ced134cf-82c5-401b-9476-b6456e1924e2 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-0719 – Tabs Shortcode and Widget <= 1.17 - Contributor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-0719
The Tabs Shortcode and Widget WordPress plugin through 1.17 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks El complemento Tabs Shortcode and Widget de WordPress hasta la versión 1.17 no valida ni escapa algunos de sus atributos de shortcode antes de devolverlos a una página/publicación donde está incrustado el shortcode, lo que podría permitir a los usuarios con el rol de colaborador y superior realizar un ataque de Cross-Site Scripting Almacenado The Tabs Shortcode and Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.17 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/6e67bf7f-07e6-432b-a8f4-aa69299aecaf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-7236 – Backup Bolt <= 1.3.0 - Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2023-7236
The Backup Bolt WordPress plugin through 1.3.0 is vulnerable to Information Exposure via the unprotected access of debug logs. This makes it possible for unauthenticated attackers to retrieve the debug log which may contain information like system errors which could contain sensitive information. El complemento Backup Bolt de WordPress hasta la versión 1.3.0 es vulnerable a la exposición de la información a través del acceso desprotegido a los registros de depuración. Esto hace posible que atacantes no autenticados recuperen el registro de depuración que puede contener información como errores del sistema que podrían contener información confidencial. The Backup Bolt plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.0 via error log file. • https://wpscan.com/vulnerability/2a4557e2-b764-4678-a6d6-af39dd1ba76b • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6821 – Error Log Viewer < 1.1.3 - Directory Listing to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2023-6821
The Error Log Viewer by BestWebSoft WordPress plugin before 1.1.3 contains a vulnerability that allows you to read and download PHP logs without authorization El complemento Error Log Viewer de BestWebSoft WordPress anterior a 1.1.3 contiene una vulnerabilidad que le permite leer y descargar registros PHP sin autorización The Error Log Viewer by BestWebSoft WordPress plugin before 1.1.3 is affected by a Directory Listing issue, allowing users to read and download PHP logs without authorization The Error Log Viewer by BestWebSoft plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.2 via the plugin's log files. This makes it possible for unauthenticated attackers to extract sensitive data including file paths and other information stored within those logs. • https://wpscan.com/vulnerability/6b1a998d-c97c-4305-b12a-69e29408ebd9 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •