CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5134 – Easy Registration Forms <= 2.1.1 - Authenticated (Subscriber+) Information Disclosure via Shortcode
https://notcve.org/view.php?id=CVE-2023-5134
The Easy Registration Forms for WordPress is vulnerable to Information Disclosure via the 'erforms_user_meta' shortcode in versions up to, and including, 2.1.1 due to insufficient controls on the information retrievable via the shortcode. This makes it possible for authenticated attackers, with subscriber-level capabilities or above, to retrieve arbitrary sensitive user meta. Easy Registration Forms para WordPress es vulnerable a la Divulgación de Información a través del código corto 'erforms_user_meta' en versiones hasta la 2.1.1 inclusive debido a controles insuficientes sobre la información recuperable a través del código corto. Esto hace posible que atacantes autenticados, con capacidades de nivel de suscriptor o superior, recuperen metadatos de usuario sensibles y arbitrarios. • https://plugins.trac.wordpress.org/browser/easy-registration-forms/tags/2.1.1/includes/class-user.php#L835 https://www.wordfence.com/threat-intel/vulnerabilities/id/562fe11f-36a0-4f23-9eed-50ada7ab2961?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39353 – Easy Registration Forms <= 2.1.1 Cross-Site Request Forgery to Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-39353
The Easy Registration Forms WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajax_add_form function found in the ~/includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 2.1.1. El plugin Easy Registration Forms de WordPress es vulnerable a un ataque de tipo Cross-Site Request Forgery debido a que falta la comprobación de nonce por medio de la función ajax_add_form que se encuentra en el archivo ~/includes/class-form.php, que permite a atacantes inyectar scripts web arbitrarios en versiones hasta la 2.1.1 incluyéndola • https://plugins.trac.wordpress.org/browser/easy-registration-forms/tags/2.1.1/includes/class-form.php#L256 https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39353 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2020-22275 – Easy Registration Forms <= 2.0.6 - CSV Injection
https://notcve.org/view.php?id=CVE-2020-22275
Easy Registration Forms (ER Forms) Wordpress Plugin 2.0.6 allows an attacker to submit an entry with malicious CSV commands. After that, when the system administrator generates CSV output from the forms information, there is no check on this inputs and the codes are executable. Easy Registration Forms (ER Forms) en el Plugin de Wordpress versión 2.0.6, permite a un atacante enviar una entrada con comandos CSV maliciosos. Después de eso, cuando el administrador del sistema genera una salida CSV desde la información de los formularios, no presenta una comprobación de estas entradas y los códigos son ejecutables • http://uploadboy.com/ty0715vdcii6/886/mp4 https://cert.ikiu.ac.ir/public-files/news/document/CVE-99/CVE-2020-22275.pdf https://filebin.net/30ceikgukh268yyj • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-1236: Improper Neutralization of Formula Elements in a CSV File •