CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10621 – Simple Shortcode for Google Maps <= 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2024-10621
07 Nov 2024 — The Simple Shortcode for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's pw_map shortcode in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3181804%40simple-google-maps-short-code%2Ftrunk&old=3065630%40simple-google-maps-short-code%2Ftrunk&sfp_email=&sfph_mail= • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.5EPSS: 0%CPEs: 425EXPL: 0CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
04 Mar 2022 — The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24767 – Redirect 404 Error Page to Homepage or Custom Page with Logs < 1.7.9 - Log Deletion via CSRF
https://notcve.org/view.php?id=CVE-2021-24767
06 Oct 2021 — The Redirect 404 Error Page to Homepage or Custom Page with Logs WordPress plugin before 1.7.9 does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete them via a CSRF attack El plugin Redirect 404 Error Page to Homepage or Custom Page with Logs de WordPress versiones anteriores a 1.7.9, no comprueba la existencia de CSRF cuando se borran los registros, lo que podría permitir a un atacante hacer que un administrador conectado los borre por medio de un ataque de... • https://wpscan.com/vulnerability/0b35ad4a-3d94-49b1-a98d-07acf8dd4962 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2017-1000226 – Stop User Enumeration plugin <1.3.9 - User Enumeration
https://notcve.org/view.php?id=CVE-2017-1000226
16 May 2017 — Stop User Enumeration 1.3.8 allows user enumeration via the REST API Stop User Enumeration 1.3.8 permite la enumeración de usuarios mediante la API REST. The Stop User Enumeration plugin for WordPress is vulnerable to User Enumeration in versions up to, and including, 1.3.8. This is due to a flaw that was found in the REST API. This makes it possible for unauthenticated attackers to perform a POST request in the REST API allows simulating different request types. As such, attackers can perform a POST reques... • https://security.dxw.com/advisories/stop-user-enumeration-rest-api • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 5%CPEs: 1EXPL: 0CVE-2017-18536 – Stop User Enumeration <= 1.3.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18536
15 Jan 2017 — The stop-user-enumeration plugin before 1.3.8 for WordPress has XSS. El plugin stop-user-enumeration versiones anteriores a 1.3.8 para WordPress, presenta una vulnerabilidad de tipo XSS. The Stop User Enumeration plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser. • https://wordpress.org/plugins/stop-user-enumeration/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •