CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35633 – WordPress Blocksy Companion plugin <= 2.0.42 - Server Side Request Forgery (SSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-35633
30 May 2024 — Server-Side Request Forgery (SSRF) vulnerability in CreativeThemes Blocksy Companion.This issue affects Blocksy Companion: from n/a through 2.0.42. Vulnerabilidad de Server-Side Request Forgery (SSRF) en CreativeThemes Blocksy Companion. Este problema afecta a Blocksy Companion: desde n/a hasta 2.0.42. The Blocksy Companion plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.42. This makes it possible for authenticated attackers, with Administrator-lev... • https://patchstack.com/database/vulnerability/blocksy-companion/wordpress-blocksy-companion-plugin-2-0-42-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4487 – Blocksy Companion <= 2.0.45 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Uploads
https://notcve.org/view.php?id=CVE-2024-4487
10 May 2024 — The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG uploads in versions up to, and including, 2.0.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Blocksy Companion para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de... • https://plugins.trac.wordpress.org/browser/blocksy-companion/tags/2.0.45/framework/features/svg.php#L20 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31932 – WordPress Blocksy Companion plugin <= 2.0.28 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-31932
10 Apr 2024 — Cross-Site Request Forgery (CSRF) vulnerability in CreativeThemes Blocksy Companion.This issue affects Blocksy Companion: from n/a through 2.0.28. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en CreativeThemes Blocksy Companion. Este problema afecta a Blocksy Companion: desde n/a hasta 2.0.28. The Blocksy Companion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.28. This is due to missing or incorrect nonce validation on several functions. • https://patchstack.com/database/vulnerability/blocksy-companion/wordpress-blocksy-companion-plugin-2-0-28-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2392 – Blocksy Companion <= 2.0.31 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-2392
21 Mar 2024 — The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Newsletter widget in all versions up to, and including, 2.0.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Blocksy Companion para WordPress es vulnera... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3051797%40blocksy-companion&new=3051797%40blocksy-companion&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1911 – Blocksy Companion < 1.8.82 - Subscriber+ Draft Post Access
https://notcve.org/view.php?id=CVE-2023-1911
10 Apr 2023 — The Blocksy Companion WordPress plugin before 1.8.82 does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as subscriber to access draft posts for example The Blocksy Companion plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.8.81 via the blocksy_posts shortcode. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data inc... • https://wpscan.com/vulnerability/e7c52af0-b210-4e7d-a5e0-ee0645ddc08c • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23898 – WordPress Blocksy Companion Plugin <= 1.8.67 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23898
27 Jan 2023 — Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeThemes Blocksy Companion plugin <= 1.8.67 versions. The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocksy_posts shortcode in versions up to, and including, 1.8.67 due to insufficient input sanitization and output escaping on user supplied 'class' attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary... • https://patchstack.com/database/vulnerability/blocksy-companion/wordpress-blocksy-companion-plugin-1-8-67-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 425EXPL: 0CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
04 Mar 2022 — The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve • CWE-862: Missing Authorization •