CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13908 – SMTP by BestWebSoft <= 1.1.9 - Authenticated (Administrator+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-13908
07 Mar 2025 — The SMTP by BestWebSoft plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/bws-smtp/tags/1.1.8/includes/class-bwssmtp-settings.php • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13906 – Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress <= 4.7.3 - Authenticated (Administrator+) PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-13906
06 Mar 2025 — The Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.7.3 via deserialization of untrusted input in the 'import_gallery_from_csv' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin o... • https://plugins.trac.wordpress.org/browser/gallery-plugin/tags/4.7.3/gallery-plugin.php#L292 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3112 – Quotes and Tips < 1.45 - Admin+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-3112
21 Jun 2024 — The Quotes and Tips by BestWebSoft WordPress plugin before 1.45 does not properly validate image files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup) El complemento Quotes and Tips by BestWebSoft para WordPress anterior a la 1.45 no valida correctamente los archivos de imagen cargados, lo que permite a usuarios con privilegios elevados, como el administrador, cargar archivos arbitrarios en... • https://wpscan.com/vulnerability/fa6f01d6-aa3b-4452-9c5f-49bb227fea9d • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2198 – Contact Form by BestWebSoft <= 4.2.8 - Reflected Cross-Site Scripting via cntctfrm_contact_address
https://notcve.org/view.php?id=CVE-2024-2198
13 Mar 2024 — The Contact Form by BestWebSoft plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cntctfrm_contact_address’ parameter in all versions up to, and including, 4.2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. El complemento Contact Form de BestWebSoft para WordPress es vu... • https://plugins.trac.wordpress.org/changeset/3047840/contact-form-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2024-2200 – Contact Form by BestWebSoft <= 4.2.8 - Reflected Cross-Site Scripting via cntctfrm_contact_subject
https://notcve.org/view.php?id=CVE-2024-2200
13 Mar 2024 — The Contact Form by BestWebSoft plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cntctfrm_contact_subject’ parameter in all versions up to, and including, 4.2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. El complemento Contact Form de BestWebSoft para WordPress es vu... • https://github.com/0xkickit/iCUE_DllHijack_LPE-CVE-2024-22002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2014-125109 – BestWebSoft Portfolio Plugin bws_menu.php bws_add_menu_render cross site scripting
https://notcve.org/view.php?id=CVE-2014-125109
26 Dec 2023 — A vulnerability was found in BestWebSoft Portfolio Plugin up to 2.27. It has been declared as problematic. This vulnerability affects the function bws_add_menu_render of the file bws_menu/bws_menu.php. The manipulation of the argument bwsmn_form_email leads to cross site scripting. The attack can be initiated remotely. • https://github.com/wp-plugins/portfolio/commit/d2ede580474665af56ff262a05783fbabe4529b8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6250 – BestWebSoft's Like & Share < 2.74 - Unauthenticated Password Protected Post Read
https://notcve.org/view.php?id=CVE-2023-6250
29 Nov 2023 — The BestWebSoft's Like & Share WordPress plugin before 2.74 discloses the content of password protected posts to unauthenticated users via a meta tag El complemento BestWebSoft's Like & Share WordPress anterior a la versión 2.74 revela el contenido de las publicaciones protegidas con contraseña a usuarios no autenticados a través de una metaetiqueta. The BestWebSoft's Like & Share – Posts, Pages and Widget Social Extension plugin for WordPress plugin for WordPress is vulnerable to Sensitive Informa... • https://wpscan.com/vulnerability/6cad602b-7414-4867-8ae2-f0b846c4c8f0 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 0CVE-2023-4469 – Profile Extra Fields by BestWebSoft <= 1.2.7 - Missing Authorization to Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2023-4469
05 Oct 2023 — The Profile Extra Fields by BestWebSoft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the prflxtrflds_export_file function in versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to expose potentially sensitive user data, including data entered into custom fields. El complemento Profile Extra Fields de BestWebSoft para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación d... • https://plugins.trac.wordpress.org/changeset/2975179/profile-extra-fields • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36527 – WordPress Post to CSV by BestWebSoft Plugin <= 1.4.0 is vulnerable to CSV Injection
https://notcve.org/view.php?id=CVE-2023-36527
28 Jun 2023 — Improper Neutralization of Formula Elements in a CSV File vulnerability in BestWebSoft Post to CSV by BestWebSoft.This issue affects Post to CSV by BestWebSoft: from n/a through 1.4.0. Neutralización inadecuada de elementos de fórmula en una vulnerabilidad de CSV File en BestWebSoft Post to CSV by BestWebSoft. Este problema afecta a Post to CSV by BestWebSoft: desde n/a hasta 1.4.0. The Post to CSV by BestWebSoft plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.0. Th... • https://patchstack.com/database/vulnerability/post-to-csv/wordpress-post-to-csv-by-bestwebsoft-plugin-1-4-0-csv-injection?_s_id=cve • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36508 – WordPress Contact Form to DB by BestWebSoft Plugin <= 1.7.1 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-36508
23 Jun 2023 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BestWebSoft Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress contact-form-to-db allows SQL Injection.This issue affects Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress: from n/a through 1.7.1. Neutralización Inadecuada de Elementos Especiales utilizados en una vulnerabilidad de comando SQL ('Inyección SQL') en BestWebSoft Contact Form to DB por BestWebSof... • https://patchstack.com/database/vulnerability/contact-form-to-db/wordpress-contact-form-to-db-by-bestwebsoft-plugin-1-7-1-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •