CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8478 – Affiliate Super Assistent <= 1.5.3 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-8478
The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/browser/amazonsimpleadmin/trunk/AsaCore.php#L285 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3147740%40amazonsimpleadmin&new=3147740%40amazonsimpleadmin&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/7f50769c-77b8-42ff-b67d-b9b289fc51da?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27417 – WordPress Affiliate Super Assistent Plugin <= 1.5.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-27417
Cross-Site Request Forgery (CSRF) vulnerability in Timo Reith Affiliate Super Assistent plugin <= 1.5.1 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Timo Reith Affiliate Super Assistent en versiones <= 1.5.1. The Affiliate Super Assistent plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on several functions such as the '_displayPreDispatcher', '_displayDispatcher', & '_displayTestPage' functions. This makes it possible for unauthenticated attackers to perform many actions like updating plugin settings via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/amazonsimpleadmin/wordpress-affiliate-super-assistent-plugin-1-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •