CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2024-11265 – Wp Maximum Upload File Size <= 1.1.3 - Authenticated (Author+) Full Path Disclosure
https://notcve.org/view.php?id=CVE-2024-11265
The Increase Maximum Upload File Size | Increase Execution Time plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.1.3. This is due to returning image upload error messages with full path information. This makes it possible for authenticated attackers, with author-level permissions and above, to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51841 – WordPress File Select Control For Elementor plugin <= 1.3 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-51841
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNcode File Select Control For Elementor allows DOM-Based XSS.This issue affects File Select Control For Elementor: from n/a through 1.3. The File Select Control For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/file-select-control-for-elementor/wordpress-file-select-control-for-elementor-plugin-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51892 – WordPress Sell Media File with Stripe plugin <= 1.0.6 - Stored Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-51892
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in naa986 Sell Media File with Stripe allows Stored XSS.This issue affects Sell Media File with Stripe: from n/a through 1.0.6. The Sell Media File with Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/sell-media-file/wordpress-sell-media-file-with-stripe-plugin-1-0-6-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8918 – File Manager Pro <= 8.3.9 - Unauthenticated Limited JavaScript File Upload
https://notcve.org/view.php?id=CVE-2024-8918
The File Manager Pro plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 8.3.9. This is due to a lack of proper checks on allowed file types. This makes it possible for unauthenticated attackers, with permissions granted by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting. • https://www.wordfence.com/threat-intel/vulnerabilities/id/01ef62c8-e862-422c-948d-6d376d021c82?source=cve https://filemanagerpro.io • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8507 – File Manager Pro <= 8.3.9 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8507
The File Manager Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.3.9. This is due to missing or incorrect nonce validation on the 'mk_file_folder_manager' ajax action. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://www.wordfence.com/threat-intel/vulnerabilities/id/db70b37c-707a-47b8-a3a2-5a2b7d30de89?source=cve https://filemanagerpro.io • CWE-352: Cross-Site Request Forgery (CSRF) •