CVSS: 9.8EPSS: 13%CPEs: 15EXPL: 0CVE-2022-40700 – Server Side Request Forgery (SSRF) vulnerability affecting multiple WordPress plugins
https://notcve.org/view.php?id=CVE-2022-40700
Server-Side Request Forgery (SSRF) vulnerability in Montonio Montonio for WooCommerce, Wpopal Wpopal Core Features, AMO for WP – Membership Management ArcStone wp-amo, Long Watch Studio WooVirtualWallet – A virtual wallet for WooCommerce, Long Watch Studio WooVIP – Membership plugin for WordPress and WooCommerce, Long Watch Studio WooSupply – Suppliers, Supply Orders and Stock Management, Squidesma Theme Minifier, Paul Clark Styles styles, Designmodo Inc. WordPress Page Builder – Qards, Philip M. Hofer (Frumph) PHPFreeChat, Arun Basil Lal Custom Login Admin Front-end CSS, Team Agence-Press CSS Adder By Agence-Press, Unihost Confirm Data, deano1987 AMP Toolbox amp-toolbox, Arun Basil Lal Admin CSS MU.This issue affects Montonio for WooCommerce: from n/a through 6.0.1; Wpopal Core Features: from n/a through 1.5.8; ArcStone: from n/a through 4.6.6; WooVirtualWallet – A virtual wallet for WooCommerce: from n/a through 2.2.1; WooVIP – Membership plugin for WordPress and WooCommerce: from n/a through 1.4.4; WooSupply – Suppliers, Supply Orders and Stock Management: from n/a through 1.2.2; Theme Minifier: from n/a through 2.0; Styles: from n/a through 1.2.3; WordPress Page Builder – Qards: from n/a through 1.0.5; PHPFreeChat: from n/a through 0.2.8; Custom Login Admin Front-end CSS: from n/a through 1.4.1; CSS Adder By Agence-Press: from n/a through 1.5.0; Confirm Data: from n/a through 1.0.7; AMP Toolbox: from n/a through 2.1.1; Admin CSS MU: from n/a through 2.6. Vulnerabilidad de Server-Side Request Forgery (SSRF) en Montonio Montonio para WooCommerce, Wpopal Funciones principales de Wpopal, AMO para WP – Gestión de membresía ArcStone wp-amo, Long Watch Studio WooVirtualWallet – Una billetera virtual para WooCommerce, Long Watch Studio WooVIP – Complemento de membresía para WordPress y WooCommerce, Long Watch Studio WooSupply: proveedores, pedidos de suministro y gestión de existencias, Squidesma Theme Minifier, estilos Paul Clark Styles, Designmodo Inc. Creador de páginas de WordPress: Qards, Philip M. • https://patchstack.com/database/vulnerability/admin-css-mu/wordpress-admin-css-mu-plugin-2-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve https://patchstack.com/database/vulnerability/amp-toolbox/wordpress-amp-toolbox-plugin-2-1-1-server-side-request-forgery-ssrf?_s_id=cve https://patchstack.com/database/vulnerability/confirm-data/wordpress-confirm-data-plugin-1-0-7-unauth-server-side-request-forgery-ssrf-vulnerability?_s_id=cve https://patchstack.com/database/vulnerability/css-adder-by-agence-press& • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20156 – WP Maintenance Mode <= 2.0.6 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-20156
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated "site administrator" users to execute arbitrary PHP code throughout a multisite network. El plugin WP Maintenance Mode, en versiones anteriores a la 2.0.7 para WordPress, permite que usuarios "site administrator" autenticados remotos ejecuten código PHP arbitrario mediante una red multisitio. • https://www.wordfence.com/blog/2016/07/3-vulnerabilities-wp-maintenance-mode • CWE-20: Improper Input Validation •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2017-18598 – Qards (All Versions) - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18598
The Qards plugin through 2017-10-11 for WordPress has XSS via a remote document specified in the url parameter to html2canvasproxy.php. El plugin Qards hasta el 11-10-2017 para WordPress, presenta una vulnerabilidad de tipo XSS por medio de un documento remoto especificado en el parámetro url en el archivo html2canvasproxy.php. • https://wpvulndb.com/vulnerabilities/8934 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20154 – WP Maintenance Mode <= 2.0.6 - Authenticated Information Disclosure
https://notcve.org/view.php?id=CVE-2018-20154
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses. El plugin WP Maintenance Mode, en versiones anteriores a la 2.0.7 para WordPress, permite que usuarios autenticados remotos descubran las direcciones de email de todos los suscriptores. • https://www.wordfence.com/blog/2016/07/3-vulnerabilities-wp-maintenance-mode • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20155 – WP Maintenance Mode <= 2.0.6 - Missing Authorization
https://notcve.org/view.php?id=CVE-2018-20155
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings. El plugin WP Maintenance Mode, en versiones anteriores a la 2.0.7 para WordPress, permite que usuarios suscriptores autenticados remotos omitan las restricciones de acceso planeadas en los cambios en las opciones del plugin. • https://www.wordfence.com/blog/2016/07/3-vulnerabilities-wp-maintenance-mode • CWE-862: Missing Authorization •