CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13758 – CP Contact Form with PayPal <= 1.3.52 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2024-13758
29 Jan 2025 — The CP Contact Form with PayPal plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.52. This is due to missing or incorrect nonce validation on the cp_contact_form_paypal_check_init_actions() function. This makes it possible for unauthenticated attackers to add discount codes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/cp-contact-form-with-paypal/trunk/cp_contactformpp_functions.php#L616 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13680 – Form Builder CP <= 1.2.41 - Authenticated (Contributor+) SQL Injection
https://notcve.org/view.php?id=CVE-2024-13680
23 Jan 2025 — The Form Builder CP plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'CP_EASY_FORM_WILL_APPEAR_HERE' shortcode in all versions up to, and including, 1.2.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive informa... • https://plugins.trac.wordpress.org/browser/cp-easy-form-builder/tags/1.2.41/cp_easy_form_builder.php#L297 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12601 – Calculated Fields Form <= 5.2.63 - Denial of Service
https://notcve.org/view.php?id=CVE-2024-12601
16 Dec 2024 — The Calculated Fields Form plugin for WordPress is vulnerable to Denial of Service in all versions up to, and including, 5.2.63. This is due to unlimited height and width parameters for CAPTCHA images. This makes it possible for unauthenticated attackers to send multiple requests with large values, resulting in slowing server resources if the server does not mitigate Denial of Service attacks. • https://plugins.trac.wordpress.org/browser/calculated-fields-form/trunk/captcha/captcha.php#L74 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9940 – Calculated Fields Form <= 5.2.45 - HTML Injection
https://notcve.org/view.php?id=CVE-2024-9940
16 Oct 2024 — The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email. El complemento Calculated Fields Form para WordPress es vulnerable a la inyección de HTML en todas las versiones hasta la 5.2.45 incluida. Es... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3168950%40calculated-fields-form&new=3168950%40calculated-fields-form&sfp_email=&sfph_mail= • CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36082 – Music Store - WordPress eCommerce <= 1.1.13 - Authenticated (Admin+) SQL Injection
https://notcve.org/view.php?id=CVE-2024-36082
07 Jun 2024 — SQL injection vulnerability in Music Store - WordPress eCommerce versions prior to 1.1.14 allows a remote authenticated attacker with an administrative privilege to execute arbitrary SQL commands. Information stored in the database may be obtained or altered by the attacker. Vulnerabilidad de inyección SQL en Music Store - WordPress eCommerce anteriores a la 1.1.14 permiten que un atacante remoto autenticado con privilegios administrativos ejecute comandos SQL arbitrarios. El atacante puede obtener o modifi... • https://jvn.jp/en/jp/JVN79213252 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35734 – WordPress WP Time Slots Booking Form plugin <= 1.2.10 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-35734
06 Jun 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CodePeople WP Time Slots Booking Form allows Stored XSS.This issue affects WP Time Slots Booking Form: from n/a through 1.2.10. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en CodePeople WP Time Slots Booking Form permite XSS Almacenado. Este problema afecta el formulario de reserva de franjas horarias de WP: desde n/... • https://patchstack.com/database/vulnerability/wp-time-slots-booking-form/wordpress-wp-time-slots-booking-form-plugin-1-2-10-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35735 – WordPress WP Time Slots Booking Form plugin <= 1.2.11 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-35735
06 Jun 2024 — Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.This issue affects WP Time Slots Booking Form: from n/a through 1.2.11. Vulnerabilidad de autorización faltante en CodePeople WP Time Slots Booking Form. Este problema afecta al formulario de reserva de franjas horarias de WP: desde n/a hasta 1.2.11. The WP Time Slots Booking Form plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the data_management() function in versions up to, ... • https://patchstack.com/database/vulnerability/wp-time-slots-booking-form/wordpress-wp-time-slots-booking-form-plugin-1-2-11-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31302 – WordPress Contact Form Email plugin <= 1.3.44 - Sensitive Data Exposure vulnerability
https://notcve.org/view.php?id=CVE-2024-31302
05 Apr 2024 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in CodePeople Contact Form Email.This issue affects Contact Form Email: from n/a through 1.3.44. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en CodePeople Contact Form Email. Este problema afecta el correo electrónico del formulario de contacto: desde n/a hasta 1.3.44. The Contact Form Email plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, ... • https://patchstack.com/database/vulnerability/contact-form-to-email/wordpress-contact-form-email-plugin-1-3-44-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.2EPSS: 1%CPEs: 1EXPL: 0CVE-2024-2020 – Calculated Fields Form Professional <= 5.1.56 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-2020
01 Mar 2024 — The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the professional version or higher. El complemento Calculated Fields Form para WordPress es vulnerable a... • https://wordpress.org/plugins/calculated-fields-form/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0963 – Calculated Fields Form <= 1.2.52 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-0963
01 Feb 2024 — The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's CP_CALCULATED_FIELDS shortcode in all versions up to, and including, 1.2.52 due to insufficient input sanitization and output escaping on user supplied 'location' attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Calculated Fiel... • https://plugins.trac.wordpress.org/changeset/3029782/calculated-fields-form/trunk/inc/cpcff_main.inc.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •