CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-5004 – CM Popup Plugin for WordPress < 1.6.6 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-5004
01 Jul 2024 — The CM Popup Plugin for WordPress WordPress plugin before 1.6.6 does not sanitise and escape some of the campaign settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks El CM Popup Plugin complemento de WordPress anterior a 1.6.6 no sanitiza ni escapa a algunas de las configuraciones de la campaña, lo que podría permitir a usuarios con altos privilegios, como los contribuyentes, realizar ataques de Cross Site Scripting almacenado. The CM Popup Plu... • https://wpscan.com/vulnerability/4bea7baa-84a2-4b21-881c-4f17822329e7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28749 – WordPress CM On Demand Search And Replace Plugin <= 1.3.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-28749
09 May 2023 — Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin <= 1.3.0 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento CreativeMindsSolutions CM On Demand Search And Replace en versiones <=1.3.0. The CM On Demand Search And Replace plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the ajaxUpdateReplacement, ajaxDeleteReplacem... • https://patchstack.com/database/vulnerability/cm-on-demand-search-and-replace/wordpress-cm-on-demand-search-and-replace-plugin-1-3-0-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30750 – WordPress CM Pop-Up banners Plugin <= 1.5.10 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-30750
03 May 2023 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CreativeMindsSolutions CM Popup Plugin for WordPress.This issue affects CM Popup Plugin for WordPress: from n/a through 1.5.10. La neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en CreativeMindsSolutions CM Popup Plugin for WordPress. Este problema afecta a CM Popup Plugin for WordPress: desde n/a hasta 1.5.10. The CM Pop-Up banners plugin... • https://patchstack.com/database/vulnerability/cm-pop-up-banners/wordpress-cm-pop-up-banners-for-wordpress-plugin-1-5-10-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-31228 – WordPress CM On Demand Search And Replace Plugin <= 1.3.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-31228
28 Apr 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin <= 1.3.0 versions. The CM On Demand Search And Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that wil... • https://patchstack.com/database/vulnerability/cm-on-demand-search-and-replace/wordpress-cm-on-demand-search-and-replace-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25992 – WordPress CM Answers Plugin <= 3.1.9 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-25992
23 Feb 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM Answers plugin <= 3.1.9 versions. The CM Answers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator-level access, and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an inje... • https://patchstack.com/database/vulnerability/cm-answers/wordpress-cm-answers-plugin-3-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3076 – CM Download Manager < 2.8.6 - Admin+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-3076
05 Sep 2022 — The CM Download Manager WordPress plugin before 2.8.6 allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example. El plugin CM Download Manager de WordPress versiones anteriores a 2.8.6, permite a usuarios con altos privilegios, como los administradores, subir archivos arbitrarios estableciendo cualquier extensión por medio de la configuración del plugin, lo que pod... • https://wpscan.com/vulnerability/d18e695b-4d6e-4ff6-a060-312594a0d2bd • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24678 – CM Tooltip Glossary < 3.9.21 - Contributor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24678
06 Sep 2021 — The CM Tooltip Glossary WordPress plugin before 3.9.21 does not escape some glossary_tooltip shortcode attributes, which could allow users a role as low as Contributor to perform Stored Cross-Site Scripting attacks El plugin CM Tooltip Glossary de WordPress versiones anteriores a 3.9.21, no escapa a algunos atributos del shortcode glossary_tooltip, lo que podría permitir a usuarios con un rol tan bajo como el de Contributor llevar a cabo ataques de tipo Cross-Site Scripting Almacenado The CM Tooltip Glossar... • https://wpscan.com/vulnerability/b83880f7-8614-4409-9305-d059b5df15dd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24145 – CM Download Manager <= 2.7.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-24145
13 Apr 2021 — Cross Site Scripting (XSS) vulnerability in the CM Download Manager (aka cm-download-manager) plugin 2.7.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted deletescreenshot action. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en el plugin CM Download Manager (también se conoce como cm-download-manager) versión 2.7.0 para WordPress, permite a atacantes remotos inyectar scripts web o HTML arbitrarios por medio de una acción deletescreenshot diseñada The CM Do... • https://github.com/secwx/research/blob/main/cve/CVE-2020-24145.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24146 – CM Download Manager < 2.8.0 - Directory Traversal to Arbitrary File Deletion and Denial of Service
https://notcve.org/view.php?id=CVE-2020-24146
13 Apr 2021 — Directory traversal in the CM Download Manager (aka cm-download-manager) plugin 2.7.0 for WordPress allows authorized users to delete arbitrary files and possibly cause a denial of service via the fileName parameter in a deletescreenshot action. Un salto de Directorio en el plugin CM Download Manager (también se conoce como cm-download-manager) versión 2.7.0 para WordPress, permite a usuarios autorizados eliminar archivos arbitrarios y posiblemente causar una denegación de servicio por medio del parámetro f... • https://github.com/secwx/research/blob/main/cve/CVE-2020-24146.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-27344 – CM Download Manager <= 2.7.0 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-27344
21 Oct 2020 — The cm-download-manager plugin before 2.8.0 for WordPress allows XSS. El plugin cm-download-manager versiones anteriores a 2.8.0 para WordPress, permite un ataque de tipo XSS The CM Download Manager plugin for WordPress is vulnerable to Authenticated Stored Cross-Site Scripting via the ‘filename’ parameter in versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping. This makes it possible for highly privileged attackers to inject arbitrary web scripts in pages that wil... • https://gist.github.com/qwebee/da79c6a9fa982c3c40988a1e0598c0d9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •