CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45606 – WordPress Simple URLs Plugin <= 120 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-45606
11 Oct 2023 — Cross-Site Request Forgery (CSRF) vulnerability in Lasso Simple URLs plugin <= 120 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Lasso Simple URLs en versiones <= 120. The Simple URLs plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 120. This is due to missing or incorrect nonce validation on multiple AJAX functions. This makes it possible for unauthenticated attackers to perform unauthorized actions (e.g., delete arbitra... • https://patchstack.com/database/vulnerability/simple-urls/wordpress-simple-urls-plugin-120-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40674 – WordPress Simple URLs Plugin <= 118 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-40674
21 Aug 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lasso Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management allows Stored XSS.This issue affects Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management: from n/a through 118. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Scripting entre sitios') en Lasso Simple URLs – Link Cloaking, Product Displays, and Affiliat... • https://patchstack.com/database/vulnerability/simple-urls/wordpress-simple-urls-plugin-117-shortcode-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40667 – WordPress Simple URLs Plugin <= 117 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-40667
21 Aug 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Lasso Simple URLs plugin <= 117 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada en el complemento Lasso Simple URLs en versiones <= 117. The Simple URLs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' parameter in versions up to, and including, 117 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbi... • https://patchstack.com/database/vulnerability/simple-urls/wordpress-simple-urls-plugin-117-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0098 – Simple URLs < 115 - Subscriber+ SQLi
https://notcve.org/view.php?id=CVE-2023-0098
17 Jan 2023 — The Simple URLs WordPress plugin before 115 does not escape some parameters before using them in various SQL statements used by AJAX actions available by any authenticated users, leading to a SQL injection exploitable by low privilege users such as subscriber. The Simple URLs plugin for WordPress is vulnerable to SQL Injection via several AJAX actions in versions up to, and including, 114 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query... • https://wpscan.com/vulnerability/db0b3275-40df-404e-aa8d-53558f0122d8 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 2CVE-2023-0099 – Simple URLs < 115 - Multiple Reflected XSS
https://notcve.org/view.php?id=CVE-2023-0099
17 Jan 2023 — The Simple URLs WordPress plugin before 115 does not sanitise and escape some parameters before outputting them back in some pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. The Simple URLs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in versions up to, and including, 114 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbit... • https://github.com/amirzargham/CVE-2023-0099-exploit • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •