CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50506 – WordPress Marketing Automation by AZEXO plugin <= 1.27.80 - Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2024-50506
28 Oct 2024 — Incorrect Privilege Assignment vulnerability in Azexo Marketing Automation by AZEXO allows Privilege Escalation.This issue affects Marketing Automation by AZEXO: from n/a through 1.27.80. La vulnerabilidad de asignación incorrecta de privilegios en Azexo Marketing Automation de AZEXO permite la escalada de privilegios. Este problema afecta a Marketing Automation de AZEXO: desde n/a hasta la versión 1.27.80. The Marketing Automation by AZEXO plugin for WordPress is vulnerable to Privilege Escalation in all v... • https://patchstack.com/database/vulnerability/marketing-automation-by-azexo/wordpress-marketing-automation-by-azexo-plugin-1-27-80-privilege-escalation-vulnerability?_s_id=cve • CWE-266: Incorrect Privilege Assignment •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50480 – WordPress Marketing Automation by AZEXO plugin <= 1.27.80 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-50480
25 Oct 2024 — Unrestricted Upload of File with Dangerous Type vulnerability in azexo Marketing Automation by AZEXO allows Upload a Web Shell to a Web Server.This issue affects Marketing Automation by AZEXO: from n/a through 1.27.80. La vulnerabilidad de carga sin restricciones de archivos con tipo peligroso azexo Marketing Automation by AZEXO permite cargar un shell web a un servidor web. Este problema afecta a Marketing Automation de AZEXO: desde n/a hasta la versión 1.27.80. The Marketing Automation by AZEXO plugin for... • https://patchstack.com/database/vulnerability/marketing-automation-by-azexo/wordpress-marketing-automation-by-azexo-plugin-1-27-80-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9656 – Mynx Page Builder <= 0.27.8 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
https://notcve.org/view.php?id=CVE-2024-9656
11 Oct 2024 — The Mynx Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.27.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. • https://wordpress.org/plugins/mynx-page-builder/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9274 – Elastik Page Builder <= 0.27.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
https://notcve.org/view.php?id=CVE-2024-9274
30 Sep 2024 — The Elastik Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.27.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. El complemento Elastik Page Builder para WordPress es vulnerable a Cross-Site Scripting Almacenado a través d... • https://wordpress.org/plugins/elastik-page-builder/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3051 – Page Builder by AZEXO <= 1.27.133 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2023-3051
02 Jun 2023 — The Page Builder by AZEXO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'azh_post' shortcode in versions up to, and including, 1.27.133 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/page-builder-by-azexo/trunk/azexo_html.php#L2845 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3052 – Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery to Post Creation/Modification/Deletion
https://notcve.org/view.php?id=CVE-2023-3052
02 Jun 2023 — The Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the 'azh_add_post', 'azh_duplicate_post', 'azh_update_post' and 'azh_remove_post' functions. This makes it possible for unauthenticated attackers to create, modify, and delete a post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/page-builder-by-azexo/trunk/azexo_html.php#L4085 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3053 – Page Builder by AZEXO <= 1.27.133 - Missing Authorization to Post Creation
https://notcve.org/view.php?id=CVE-2023-3053
02 Jun 2023 — The Page Builder by AZEXO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'azh_add_post' function in versions up to, and including, 1.27.133. This makes it possible for authenticated attackers to create a post with any post type and post status. • https://plugins.trac.wordpress.org/browser/page-builder-by-azexo/trunk/azexo_html.php#L4085 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3055 – Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save
https://notcve.org/view.php?id=CVE-2023-3055
02 Jun 2023 — The Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the 'azh_save' function. This makes it possible for unauthenticated attackers to update the post content and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/page-builder-by-azexo/trunk/azexo_html.php#L2721 • CWE-352: Cross-Site Request Forgery (CSRF) •