CVSS: 9.8EPSS: 66%CPEs: 18EXPL: 4CVE-2014-6446 – Infusionsoft Gravity Forms Add-on 1.5.3 - 1.5.10 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2014-6446
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress does not properly restrict access, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code via a request to utilities/code_generator.php. El plugin Infusionsoft Gravity Forms 1.5.3 hasta 1.5.10 para WordPress no restringe debidamente el acceso, lo que permite a atacantes remotos subir ficheros arbitrarios y ejecutar código PHP arbitrario a través de una solicitud en utilities/code_generator.php. • https://www.exploit-db.com/exploits/34925 http://osvdb.org/show/osvdb/112171 http://packetstormsecurity.com/files/131002/Wordpress-InfusionSoft-Shell-Upload.html http://research.g0blin.co.uk/cve-2014-6446 http://www.exploit-db.com/exploits/34925 https://wordpress.org/plugins/infusionsoft/changelog • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2014-4536 – Infusionsoft Gravity Forms Add-on < 1.5.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-4536
Multiple cross-site scripting (XSS) vulnerabilities in tests/notAuto_test_ContactService_pauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) go, (2) contactId, or (3) campaignId parameter. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en el archivo tests/notAuto_test_ContactService_pauseCampaign.php en el plugin Infusionsoft Gravity Forms versiones anteriores a la versión 1.5.6 para WordPress, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro (1) go, (2) contactId, o (3) campaignId. • http://codevigilant.com/disclosure/wp-plugin-infusionsoft-a3-cross-site-scripting-xss http://wordpress.org/plugins/infusionsoft/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •