CVE-2023-5383 – Funnelforms Free <= 3.4 - Cross-Site Request Forgery to Arbitrary Post Duplication
https://notcve.org/view.php?id=CVE-2023-5383
The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation on the fnsf_copy_posts function. This makes it possible for unauthenticated attackers to create copies of arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Funnelforms Free para WordPress es vulnerable a Cross-Site Request Forgery en versiones hasta la 3.4 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función fnsf_copy_posts. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/d35ec0f0-fa7a-4531-b5f7-5adcf2af051c?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-5386 – Funnelforms Free <= 3.4 - Missing Authorization to Arbitrary Post Deletion
https://notcve.org/view.php?id=CVE-2023-5386
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts, including administrator posts, and posts not related to the Funnelforms Free plugin. El complemento Funnelforms Free para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función fnsf_delete_posts en versiones hasta la 3.4 incluida. Esto hace posible que atacantes autenticados, con permisos de nivel de suscriptor y superiores, eliminen publicaciones arbitrarias, incluidas publicaciones de administrador y publicaciones no relacionadas con el complemento Funnelforms Free. The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_posts function in versions up to, and including, 3.4. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/400fe58b-8203-4fd5-a3d3-d30eb1b8cd85?source=cve • CWE-862: Missing Authorization •
CVE-2023-5382 – Funnelforms Free <= 3.4 - Cross-Site Request Forgery to Arbitrary Post Deletion
https://notcve.org/view.php?id=CVE-2023-5382
The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation on the fnsf_delete_posts function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Funnelforms Free para WordPress es vulnerable a Cross-Site Request Forgery en versiones hasta la 3.4 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función fnsf_delete_posts. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/72e4428b-d2cd-471f-9821-947f4601fd64?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-5416 – Funnelforms Free <= 3.4 - Missing Authorization to Category Deletion
https://notcve.org/view.php?id=CVE-2023-5416
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete categories. El complemento Funnelforms Free para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función fnsf_delete_category en versiones hasta la 3.4 incluida. Esto hace posible que los atacantes autenticados, con permisos de nivel de suscriptor y superiores, eliminen categorías. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/992fc98f-4b23-4596-81fb-5543d82fd615?source=cve • CWE-862: Missing Authorization •
CVE-2023-5419 – Funnelforms Free <= 3.4 - Missing Authorization to Test Email Sending
https://notcve.org/view.php?id=CVE-2023-5419
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_test_mail function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to send test emails to an arbitrary email address. El complemento Funnelforms Free para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función fnsf_af2_test_mail en versiones hasta la 3.4 incluida. Esto hace posible que atacantes autenticados, con permisos de nivel de suscriptor y superiores, envíen correos electrónicos de prueba a una dirección de correo electrónico arbitraria. • https://plugins.trac.wordpress.org/changeset/2986938/funnelforms-free https://www.wordfence.com/threat-intel/vulnerabilities/id/64248d15-e6a7-442f-b269-e9f629d297d3?source=cve • CWE-862: Missing Authorization •