4 results (0.004 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/slicewp/tags/1.1.23/includes/admin/settings/views/view-settings-tab-general.php#L437 https://plugins.trac.wordpress.org/browser/slicewp/tags/1.1.23/includes/admin/settings/views/view-settings-tab-general.php#L451 https://plugins.trac.wordpress.org/browser/slicewp/trunk/includes/admin/settings/functions-actions-settings.php#L14 https://plugins.trac.wordpress.org/changeset/3207576 https://wordpress.org/plugins/slicewp/#developers https://www.wordfence.com/thre • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

The WordPress Affiliates Plugin — SliceWP Affiliates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/slicewp/tags/1.1.20/includes/admin/commissions/class-list-table-commissions.php#L544 https://plugins.trac.wordpress.org/browser/slicewp/tags/1.1.20/includes/admin/payouts/class-list-table-payments.php#L490 https://plugins.trac.wordpress.org/browser/slicewp/tags/1.1.20/includes/admin/visits/class-list-table-visits.php#L396 https://plugins.trac.wordpress.org/changeset/3151062 https://www.wordfence.com/threat-intel/vulnerabilities/id/45dd22d4-9a51-4569-a756-1f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables. El complemento Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función create_pricing_table_page en todas las versiones hasta la 2.11.1 incluida. Esto hace posible que atacantes autenticados, con acceso de suscriptor o superior, creen tablas de precios. • https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/admin/class-admin-subscription-plans.php#L477 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3034497%40paid-member-subscriptions%2Ftrunk&old=3031453%40paid-member-subscriptions%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/10f00859-3adf-40ff-8f33-827bbb1f62df?source=cve • CWE-862: Missing Authorization •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pms_stripe_connect_handle_authorization_return function in all versions up to, and including, 2.11.1. This makes it possible for unauthenticated attackers to change the Stripe payment keys. El complemento Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función pms_stripe_connect_handle_authorization_return en todas las versiones hasta la 2.11.1 incluida. Esto hace posible que atacantes no autenticados cambien las claves de pago de Stripe. • https://plugins.trac.wordpress.org/browser/paid-member-subscriptions/trunk/includes/gateways/stripe/admin/functions-admin-connect.php#L11 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3034497%40paid-member-subscriptions%2Ftrunk&old=3031453%40paid-member-subscriptions%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/cd5f5861-5be4-456d-915d-bafb7bff2110?source=cve • CWE-862: Missing Authorization •