CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6446 – Calculated Fields Form <= 1.2.40 - Authenticated (Admin+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6446
05 Dec 2023 — The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been d... • https://plugins.trac.wordpress.org/changeset/3005354/calculated-fields-form • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-87: Improper Neutralization of Alternate XSS Syntax •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41732 – WordPress CP Blocks Plugin <= 1.0.20 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-41732
05 Sep 2023 — Cross-Site Request Forgery (CSRF) vulnerability in CodePeople CP Blocks plugin <= 1.0.20 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento CodePeople CP Blocks en versiones <= 1.0.20. The CP Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.20. This is due to incorrect nonce validation in the admin-int-license.inc.php file. This makes it possible for unauthenticated attackers to update the license key via a forged r... • https://patchstack.com/database/vulnerability/cp-blocks/wordpress-cp-blocks-plugin-1-0-20-csrf-leading-to-plugin-settings-change-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4034 – Appointment Hour Booking <= 1.3.72 - CSV Injection
https://notcve.org/view.php?id=CVE-2022-4034
29 Nov 2022 — The Appointment Hour Booking Plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.3.72. This makes it possible for unauthenticated attackers to embed untrusted input into content during booking creation that may be exported as a CSV file when a site's administrator exports booking details. This can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. El complemento Appointment Hour Booking para WordPress es ... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2803896%40appointment-hour-booking&new=2803896%40appointment-hour-booking&sfp_email=&sfph_mail= • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4035 – Appointment Hour Booking <= 1.3.72 - Unauthenticated iFrame Injection via Appointment Form
https://notcve.org/view.php?id=CVE-2022-4035
29 Nov 2022 — The Appointment Hour Booking plugin for WordPress is vulnerable to iFrame Injection via the ‘email’ or general field parameters in versions up to, and including, 1.3.72 due to insufficient input sanitization and output escaping that makes injecting iFrame tags possible. This makes it possible for unauthenticated attackers to inject iFrames when submitting a booking that will execute whenever a user accesses the injected booking details page. El complemento Appointment Hour Booking para WordPress es vulnerab... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2803896%40appointment-hour-booking&new=2803896%40appointment-hour-booking&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4036 – Appointment Hour Booking <= 1.3.72 - CAPTCHA Bypass
https://notcve.org/view.php?id=CVE-2022-4036
29 Nov 2022 — The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to the user via a cookie. El complemento Appointment Hour Booking para WordPress es vulnerable a la omisión de CAPTCHA en versiones hasta la 1.3.72 incluida. Esto se debe al uso de un algoritmo hash insuficientemente potente en el secreto del CAPTCHA, que también se muestra al... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2803896%40appointment-hour-booking&new=2803896%40appointment-hour-booking&sfp_email=&sfph_mail= • CWE-326: Inadequate Encryption Strength CWE-804: Guessable CAPTCHA •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41692 – WordPress Appointment Hour Booking plugin <= 1.3.71 - Missing Authorization vulnerability
https://notcve.org/view.php?id=CVE-2022-41692
30 Oct 2022 — Missing Authorization vulnerability in Appointment Hour Booking plugin <= 1.3.71 on WordPress. Vulnerabilidad de autorización faltante en el complemento Appointment Hour Booking en WordPress en versiones <= 1.3.71. The Appointment Hour Booking plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the cpapphb_feedback function in versions up to, and including, 1.3.71. This makes it possible for authenticated attackers, with subscriber-level permissions and above, ... • https://patchstack.com/database/vulnerability/appointment-hour-booking/wordpress-appointment-hour-booking-plugin-1-3-71-missing-authorization-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3427 – Corner Ad <= 1.0.56 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2022-3427
09 Sep 2022 — The Corner Ad plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.56. This is due to missing or incorrect nonce validation on its corner_ad_settings_page function. This makes it possible for unauthenticated attackers to trigger the deletion of ads via forged request granted they can trick a site administrator into performing an action such as clicking on a link. Corner Ad plugin for WordPress es vulnerable a la Cross-Site Request Forgery (CSRF) en versiones... • https://plugins.trac.wordpress.org/browser/corner-ad/trunk/corner-ad.php?rev=2782613#L240 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 3CVE-2022-2846 – Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Creation to Stored XSS
https://notcve.org/view.php?id=CVE-2022-2846
16 Aug 2022 — The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. El plugin de WordPress Calendar Event Multi View anterior a la versión 1.4.07 no dispone de comprobaciones de autorización y CSRF cuando se crea un evento, y también carece ... • https://packetstorm.news/files/id/171697 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2169 – Loading Page with Loading Screen < 1.0.83 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2169
23 Jun 2022 — The Loading Page with Loading Screen WordPress plugin before 1.0.83 does not escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Loading Page with Loading Screen de WordPress versiones anteriores a 1.0.83, no escapa de su configuración, permitiendo a usuarios con altos privilegios, como los administradores, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfil... • https://wpscan.com/vulnerability/a9f4aab7-b42b-4bb6-b05d-05407f935230 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1710 – Appointment Hour Booking < 1.3.56 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1710
23 May 2022 — The Appointment Hour Booking WordPress plugin before 1.3.56 does not sanitise and escape a settings of its Calendar fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. El plugin Appointment Hour Booking para WordPress versiones anteriores a 1.3.56, no sanea y escapa de una configuración de sus campos de Calendario, lo que podría permitir a usuarios con altos privilegios llevar a cabo ataques de tipo Cross-Site Scripting incluso ... • https://wpscan.com/vulnerability/ed162ccc-88e6-41e8-b24d-1b9f77a038b6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •