CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24636 – WordPress MachForm Shortcode plugin <= 1.4.1 - CSRF to Stored XSS vulnerability
https://notcve.org/view.php?id=CVE-2025-24636
24 Jan 2025 — Cross-Site Request Forgery (CSRF) vulnerability in Laymance Technologies LLC MachForm Shortcode allows Stored XSS. This issue affects MachForm Shortcode: from n/a through 1.4.1. The MachForm Shortcode plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted... • https://patchstack.com/database/wordpress/plugin/machform-shortcode/vulnerability/wordpress-machform-shortcode-plugin-1-4-1-csrf-to-stored-xss-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2024-37762
https://notcve.org/view.php?id=CVE-2024-37762
01 Jul 2024 — MachForm up to version 21 is affected by an authenticated unrestricted file upload which leads to a remote code execution. MachForm hasta la versión 21 se ve afectado por una carga de archivos autenticados y sin restricciones que conduce a la ejecución remota de código. • https://github.com/Atreb92/cve-2024-37762 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-37764
https://notcve.org/view.php?id=CVE-2024-37764
01 Jul 2024 — MachForm up to version 19 is affected by an authenticated stored cross-site scripting. MachForm hasta la versión 19 se ve afectado por un cross-site scripting almacenado y autenticado. • https://github.com/Atreb92/cve-2024-37764 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-37765
https://notcve.org/view.php?id=CVE-2024-37765
01 Jul 2024 — Machform up to version 19 is affected by an authenticated Blind SQL injection in the user account settings page. Machform hasta la versión 19 se ve afectado por una inyección SQL ciega autenticada en la página de configuración de la cuenta de usuario. • https://github.com/Atreb92/cve-2024-37765 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20105
https://notcve.org/view.php?id=CVE-2021-20105
29 Jun 2021 — Machform prior to version 16 is vulnerable to an open redirect in Safari_init.php due to an improperly sanitized 'ref' parameter. Machform anterior a versión 16, es vulnerable a un redireccionamiento abierto en el archivo Safari_init.php debido a un parámetro "ref" saneado inapropiadamente • https://www.tenable.com/security/research/tra-2021-25%2Chttps://www.machform.com/blog-machform-16-released • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20104
https://notcve.org/view.php?id=CVE-2021-20104
29 Jun 2021 — Machform prior to version 16 is vulnerable to unauthenticated remote code execution due to insufficient sanitization of file attachments uploaded with forms through upload.php. Machform anterior a versión 16, es vulnerable a la ejecución de código remota no autenticada debido a un saneamiento insuficiente de los archivos adjuntos cargados con los formularios mediante el archivo upload.php • https://www.tenable.com/security/research/tra-2021-25%2Chttps://www.machform.com/blog-machform-16-released • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20103
https://notcve.org/view.php?id=CVE-2021-20103
29 Jun 2021 — Machform prior to version 16 is vulnerable to stored cross-site scripting due to insufficient sanitization of file attachments uploaded with forms through upload.php. Machform anterior a versión 16, es vulnerable a un ataque de tipo cross-site scripting almacenado debido a un saneamiento insuficiente de los archivos adjuntos cargados con los formularios mediante el archivo upload.php • https://www.tenable.com/security/research/tra-2021-25%2Chttps://www.machform.com/blog-machform-16-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20102
https://notcve.org/view.php?id=CVE-2021-20102
29 Jun 2021 — Machform prior to version 16 is vulnerable to cross-site request forgery due to a lack of CSRF tokens in place. Machform anterior a versión 16, es vulnerable a un ataque de tipo cross-site request forgery debido a una falta de tokens CSRF en el sitio • https://www.tenable.com/security/research/tra-2021-25%2Chttps://www.machform.com/blog-machform-16-released • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20101
https://notcve.org/view.php?id=CVE-2021-20101
29 Jun 2021 — Machform prior to version 16 is vulnerable to HTTP host header injection due to improperly validated host headers. This could cause a victim to receive malformed content. Machform anterior a versión 16,, es vulnerable a una inyección de encabezados de host HTTP debido a que los encabezados de host no son comprobados apropiadamente. Esto podría causar que una víctima reciba contenido malformado • https://www.tenable.com/security/research/tra-2021-25%2Chttps://www.machform.com/blog-machform-16-released • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 3CVE-2018-6411 – MachForm < 4.2.3 - SQL Injection / Path Traversal / Upload Bypass
https://notcve.org/view.php?id=CVE-2018-6411
26 May 2018 — An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection. Se ha descubierto un problema en Appnitro MachForm, en versiones anteriores a la 4.2.3. Cuando el formulario se configura para que filtre una lista negra, añade automáticamente extensiones peligrosas a los filtros. • https://packetstorm.news/files/id/147948 • CWE-434: Unrestricted Upload of File with Dangerous Type •