CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10913 – Clone <= 2.4.6 - Unauthenticated PHP Object Injection via 'recursive_unserialized_replace'
https://notcve.org/view.php?id=CVE-2024-10913
The Clone plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.6 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. El complemento Clone para WordPress es vulnerable a la inyección de objetos PHP en todas las versiones hasta la 2.4.6 incluida, a través de la deserialización de entradas no confiables en la función 'recursive_unserialized_replace'. • https://plugins.trac.wordpress.org/browser/wp-clone-by-wp-academy//tags/2.4.6/lib/icit_srdb_replacer.php#L24 https://plugins.trac.wordpress.org/browser/wp-clone-by-wp-academy/tags/2.4.7/lib/icit_srdb_replacer.php#L24 https://www.wordfence.com/threat-intel/vulnerabilities/id/16569267-ab52-4b96-86f0-d37c470a3938?source=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30225 – WordPress WP Migrate plugin <= 2.6.10 - Unauthenticated PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-30225
Deserialization of Untrusted Data vulnerability in WPENGINE, INC. WP Migrate.This issue affects WP Migrate: from n/a through 2.6.10. Vulnerabilidad de deserialización de datos no confiables en WPENGINE, INC. WP Migrate. Este problema afecta a WP Migrate: desde n/a hasta 2.6.10. • https://patchstack.com/database/vulnerability/wp-migrate-db-pro/wordpress-wp-migrate-plugin-2-6-10-unauthenticated-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24477 – Migrate Users <= 1.0.1 - CSRF to Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24477
The Migrate Users WordPress plugin through 1.0.1 does not sanitise or escape its Delimiter option before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its options, allowing the issue to be exploited via a CSRF attack. El plugin Migrate Users WordPress versiones hasta 1.0.1, no sanea ni escapa de su opción Delimiter antes de mostrarla en una página, conllevando a un problema de tipo Cross-Site Scripting Almacenado. Además, el plugin no presenta una comprobación de tipo CSRF cuando guarda sus opciones, permitiendo que el problema sea explotado por medio de un ataque CSRF • https://wpscan.com/vulnerability/7915070f-1d9b-43c3-b01e-fec35f633a4d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 2.6EPSS: 0%CPEs: 25EXPL: 0CVE-2015-5514
https://notcve.org/view.php?id=CVE-2015-5514
Cross-site scripting (XSS) vulnerability in the Migrate module 7.x-2.x before 7.x-2.8 for Drupal, when the migrate_ui submodule is enabled, allows user-assisted remote attackers to inject arbitrary web script or HTML via a destination field label. Vulnerabilidad de XSS en el módulo Migrate 7.x-2.x en versiones anteriores a 7.x-2.8 para Drupal, cuando el submódulo migrate_ui submodule está habilitado, permite a atacantes remotos asistidos por usuario inyectar secuencias de comandos web o HTML arbitrarios a través de una etiqueta de campo de destino. • http://www.openwall.com/lists/oss-security/2015/07/04/4 https://www.drupal.org/node/2516560 https://www.drupal.org/node/2516678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •