CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0167 – GetResponse for WordPress <= 5.5.31 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0167
25 Jan 2023 — The GetResponse for WordPress plugin through 5.5.31 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The GetResponse for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 5.5.31 due to insufficient input sanitization and output ... • https://wpscan.com/vulnerability/fafbf666-b908-48ef-9041-fea653e9bfeb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35277 – WordPress GetResponse plugin <= 5.5.20 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-35277
01 Sep 2022 — Cross-Site Request Forgery (CSRF) vulnerability in GetResponse plugin <= 5.5.20 at WordPress. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin GetResponse versiones anteriores a 5.5.20 incluyéndola, en WordPress The GetResponse plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.5.19. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to trigger API Key up... • https://patchstack.com/database/vulnerability/getresponse-integration/wordpress-getresponse-plugin-5-5-18-cross-site-request-forgery-csrf-vulnerability-leading-to-api-key-update/_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •