CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 1CVE-2020-8658 – Htaccess <= 1.8.1 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2020-8658
01 Feb 2020 — The BestWebSoft Htaccess plugin through 1.8.1 for WordPress allows wp-admin/admin.php?page=htaccess.php&action=htaccess_editor CSRF. The flag htccss_nonce_name passes the nonce to WordPress but the plugin does not validate it correctly, resulting in a wrong implementation of anti-CSRF protection. In this way, an attacker is able to direct the victim to a malicious web page that modifies the .htaccess file, and takes control of the website. El plugin BestWebSoft Htaccess versiones hasta 1.8.1 para WordPress,... • https://github.com/V1n1v131r4/Exploiting-WP-Htaccess-by-BestWebSoft-Plugin/blob/master/README.md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 51EXPL: 0CVE-2017-2171
https://notcve.org/view.php?id=CVE-2017-2171
22 May 2017 — Cross-site scripting vulnerability in Captcha prior to version 4.3.0, Car Rental prior to version 1.0.5, Contact Form Multi prior to version 1.2.1, Contact Form prior to version 4.0.6, Contact Form to DB prior to version 1.5.7, Custom Admin Page prior to version 0.1.2, Custom Fields Search prior to version 1.3.2, Custom Search prior to version 1.36, Donate prior to version 2.1.1, Email Queue prior to version 1.1.2, Error Log Viewer prior to version 1.0.6, Facebook Button prior to version 2.54, Featured Post... • http://jvndb.jvn.jp/jvndb/JVNDB-2017-000094 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18496 – Htaccess by BestWebSoft – WordPress Website Access Control Plugin <= 1.7.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18496
14 Apr 2017 — The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues. El complemento htaccess anterior a 1.7.6 para WordPress tiene múltiples problemas XSS. The "Htaccess by BestWebSoft – WordPress Website Access Control Plugin" plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping on the 'category' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts... • https://wordpress.org/plugins/htaccess/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3349
https://notcve.org/view.php?id=CVE-2015-3349
21 Apr 2015 — Multiple cross-site request forgery (CSRF) vulnerabilities in the Htaccess module before 7.x-2.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) deploy or (2) delete an .htaccess file via unspecified vectors. Múltiples vulnerabilidades de CSRF en el módulo Htaccess anterior a 7.x-2.3 para Drupal permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que (1) desplieguen o (2) eliminan un fichero .htaccess a través de... • http://www.openwall.com/lists/oss-security/2015/01/29/6 • CWE-352: Cross-Site Request Forgery (CSRF) •