CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28413 – Snow Monkey Forms <= 5.1.1 - Directory Traversal via 'view' REST endpiont
https://notcve.org/view.php?id=CVE-2023-28413
Directory traversal vulnerability in Snow Monkey Forms versions v5.0.6 and earlier allows a remote unauthenticated attacker to obtain sensitive information, alter the website, or cause a denial-of-service (DoS) condition. The Snow Monkey Forms plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.1.1 via the 'view' REST endpoint. This allows unauthenticated attackers to upload files with randomized names and non-executable extensions to arbitrary folders. • https://jvn.jp/en/jp/JVN01093915 https://snow-monkey.2inc.org/2023/04/28/snow-monkey-forms-v5-0-7 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3834 – Google Forms <= 0.95 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-3834
The Google Forms WordPress plugin through 0.95 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). El complemento Google Forms de WordPress hasta la versión 0.95 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ataques de Cross-Site Scripting (XSS) Almacenado incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en una configuración multisitio). The Google Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 0.95 due to insufficient input sanitization and output escaping. This makes it possible for administrator-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/1dbe0f24-b757-49fe-846f-7c259df9f361 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-3154 – Multiple Plugins from Viszt Peter - Multiple CSRF
https://notcve.org/view.php?id=CVE-2022-3154
The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo & Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu & Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license El plugin Woo Billingo Plus de WordPress versiones anteriores a 4.4.5.4, el plugin Integration for Billingo & Gravity Forms de WordPress versiones anteriores a 1.0.4 y el plugin Integration for Szamlazz.hu & Gravity Forms de WordPress versiones anteriores a 1.2.7 carecen de comprobaciones de tipo CSRF en varias acciones AJAX, lo que podría permitir a atacantes hacer que los administradores de tiendas registrados y superiores lleven a cabo acciones no deseadas, como desactivar la licencia del plugin The plugins 'Integration for Billingo & Gravity Forms' up to version 1.0.3, 'Integration for Szamlazz.hu & Gravity Forms' up to version 1.2.6, and 'Woo Billingo Plus' up to version 4.4.5.3 for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing or incorrect nonce validation in various AJAX actions. This allows unauthenticated attackers to make logged in Shop Managers and above perform unwanted actions granted they can trick such a user into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/cda978b2-b31f-495d-8601-0aaa3e4b45cd • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40191 – WordPress Contact Form By Mega Forms plugin <= 1.2.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-40191
Authenticated (subscriber+) Stored Cross-Site Scripting (XSS) vulnerability in Ali Khallad's Contact Form By Mega Forms plugin <= 1.2.4 at WordPress. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Almacenado Autenticado (suscriptor+) en Ali Khallads Contact Form By Mega Forms plugin versiones anteriores a 1.2.4 incluyéndola, en WordPress The Contact Form By Mega Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/mega-forms/wordpress-contact-form-by-mega-forms-plugin-1-2-4-authenticated-stored-cross-site-scripting-xss-vulnerability/_s_id=cve https://wordpress.org/plugins/mega-forms/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-23388 – Regular Expression Denial of Service (ReDoS)
https://notcve.org/view.php?id=CVE-2021-23388
The package forms before 1.2.1, from 1.3.0 and before 1.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via email validation. Los formularios de paquetes versiones anteriores a 1.2.1, desde versión 1.3.0 y versiones anteriores a 1.3.2, son vulnerables a una Denegación de Servicio de Expresión Regular (ReDoS) por medio de la comprobación por correo electrónico • https://github.com/caolan/forms/pull/214 https://github.com/caolan/forms/pull/214/commits/d4bd5b5febfe49c1f585f162e04ec810f8dc47a0 https://snyk.io/vuln/SNYK-JS-FORMS-1296389 •