CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22296 – WordPress Hash Elements plugin <= 1.4.9 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-22296
07 Jan 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Hash Elements.This issue affects Hash Elements: from n/a through 1.4.9. • https://patchstack.com/database/wordpress/plugin/hash-elements/vulnerability/wordpress-hash-elements-plugin-1-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12201 – Hash Form <= 1.2.1 - Missing Authorization to Authenticated (Contributor+) Form Style Creation
https://notcve.org/view.php?id=CVE-2024-12201
11 Dec 2024 — The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check when creating form styles in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create new form styles. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3205245%40hash-form&new=3205245%40hash-form&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10802 – Hash Elements <= 1.4.7 - Missing Authorization to Unauthenticated Draft Post Title Exposure
https://notcve.org/view.php?id=CVE-2024-10802
12 Nov 2024 — The Hash Elements plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hash_elements_get_posts_title_by_id() function in all versions up to, and including, 1.4.7. This makes it possible for unauthenticated attackers to retrieve draft post titles that should not be accessible to unauthenticated users. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3186151%40hash-elements&new=3186151%40hash-elements&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9417 – Hash Form - Drag & Drop Form Builder <= 1.1.9 - Unauthenticated Limited File Upload
https://notcve.org/view.php?id=CVE-2024-9417
04 Oct 2024 — The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to limited file uploads due to a misconfigured file type validation in the 'handleUpload' function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to upload files that are excluded from both the 'allowedExtensions' and 'unallowed_extensions' arrays on the affected site's server, including files that may contain cross-site scripting. • https://plugins.trac.wordpress.org/browser/hash-form/trunk/admin/classes/HashFormUploader.php#L107 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5177 – Hash Elements <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter in Multiple Widgets
https://notcve.org/view.php?id=CVE-2024-5177
22 May 2024 — The Hash Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter within multiple widgets in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Hash Elements para WordPress es vulner... • https://plugins.trac.wordpress.org/browser/hash-elements/trunk/modules/news-module-one/widgets/news-module-one.php#L720 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 6CVE-2024-5084 – Hash Form – Drag & Drop Form Builder <= 1.1.0 - Unauthenticated Arbitrary File Upload to Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-5084
22 May 2024 — The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Hash Form – Drag & Drop Form Builder para WordPress es vulnerable a cargas de archivos arbitrarias debido a la falta ... • https://github.com/WOOOOONG/CVE-2024-5084 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5085 – Hash Form – Drag & Drop Form Builder <= 1.1.0 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-5085
22 May 2024 — The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input in the 'process_entry' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensi... • https://plugins.trac.wordpress.org/browser/hash-form/trunk/admin/classes/HashFormEntry.php#L353 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1771 – Total <= 2.1.59 - Missing Authorization to Authenticated (Subscriber+) Sections Update
https://notcve.org/view.php?id=CVE-2024-1771
05 Mar 2024 — The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage. El tema Total para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función total_order_sections() en todas las ve... • https://themes.trac.wordpress.org/browser/total/2.1.59/inc/customizer/customizer-functions.php#L112 • CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-39333 – Hashthemes Demo Importer <= 1.1.1 Improper Access Control Allowing Content Deletion
https://notcve.org/view.php?id=CVE-2021-39333
26 Oct 2021 — The Hashthemes Demo Importer Plugin <= 1.1.1 for WordPress contained several AJAX functions which relied on a nonce which was visible to all logged-in users for access control, allowing them to execute a function that truncated nearly all database tables and removed the contents of wp-content/uploads. El plugin Hashthemes Demo Importer para WordPress versiones anteriores a 1.1.1 incluyéndola, contenía varias funciones AJAX que dependían de un nonce que era visible para todos los usuarios conectados para el ... • https://www.wordfence.com/blog/2021/10/site-deletion-vulnerability-in-hashthemes-plugin • CWE-284: Improper Access Control CWE-862: Missing Authorization •