CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2022-3342 – Jetpack CRM <= 5.3.1 - Cross-Site Request Forgery and PHAR Deserialization
https://notcve.org/view.php?id=CVE-2022-3342
18 Apr 2023 — The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserialization via the ‘zbscrmcsvimpf’ parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function in versions up to, and including, 5.3.1. While the function performs a nonce check, steps 2 and 3 of the check do not take any action upon a failed check. These steps then perform a 'file_exists' check on the value of 'zbscrmcsvimpf'. If a phar:// archive is supplied, its contents will be deserialized and an object injected in the execution stream. ... • https://plugins.trac.wordpress.org/browser/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php?rev=2790863 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27429 – WordPress Jetpack CRM Plugin <= 5.4.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-27429
05 Mar 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Automattic - Jetpack CRM team Jetpack CRM plugin <= 5.4.4 versions. The Jetpack CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 5.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator-level access, and above, to inject arbitrary web scripts in pages that will execute whenever a user accesse... • https://patchstack.com/database/vulnerability/zero-bs-crm/wordpress-jetpack-crm-clients-leads-invoices-billing-email-marketing-automation-plugin-5-4-4-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4497 – Jetpack CRM < 5.5 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-4497
19 Dec 2022 — The Jetpack CRM WordPress plugin before 5.5 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins The Jetpack CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode in versions up to, and including, 5.4.4 due to insufficient input sanitization and output escaping. ... • https://wpscan.com/vulnerability/3fa6c8b3-6b81-4fe3-b997-25c9e5fdec86 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3919 – Jetpack CRM < 5.4.3 - Admin+ Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-3919
21 Nov 2022 — The Jetpack CRM WordPress plugin before 5.4.3 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El complemento Jetpack CRM para WordPress anterior a 5.4.3 no sanitiza ni escapa de su configuración, lo que permite a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting incluso cuando la capacidad unfiltered_html no está permitida. Th... • https://wpscan.com/vulnerability/fe2f1d52-8421-4b46-b829-6953a0472dcb • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •