CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24804 – WordPress MW WP Form Plugin <= 5.0.6 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2024-24804
31 Jan 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in websoudan MW WP Form allows Stored XSS.This issue affects MW WP Form: from n/a through 5.0.6. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en websoudan MW WP Form permite almacenar XSS. Este problema afecta a MW WP Form: desde n/a hasta 5.0.6. The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting in vers... • https://patchstack.com/database/vulnerability/mw-wp-form/wordpress-mw-wp-form-plugin-5-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6559 – MW WP Form <= 5.0.3 - Improper Limitation of File Name to Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2023-6559
15 Dec 2023 — The MW WP Form plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 5.0.3. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. El complemento MW WP Form para WordPress es vulnerable a la eliminación arbitraria de archivos en todas las ve... • https://plugins.trac.wordpress.org/changeset/3007879/mw-wp-form • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6316 – MW WP Form <= 5.0.1 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-6316
04 Dec 2023 — The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the '_single_file_upload' function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento MW WP Form para WordPress es vulnerable a cargas de archivos arbitrarias debido a una validación insuficiente del tipo de archivo en la función '... • https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.0.1/classes/models/class.file.php#L60 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46206 – WordPress MW WP Form plugin <= 4.4.5 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-46206
19 Oct 2023 — Missing Authorization vulnerability in websoudan MW WP Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MW WP Form: from n/a through 4.4.5. The MW WP Form plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 4.4.5. This makes it possible for unauthenticated attackers to perform unauthorized actions. • https://patchstack.com/database/wordpress/plugin/mw-wp-form/vulnerability/wordpress-mw-wp-form-plugin-4-4-5-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28408
https://notcve.org/view.php?id=CVE-2023-28408
23 May 2023 — Directory traversal vulnerability in MW WP Form versions v4.4.2 and earlier allows a remote unauthenticated attacker to alter the website or cause a denial-of-service (DoS) condition, and obtain sensitive information depending on settings. • https://jvn.jp/en/jp/JVN01093915 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28409 – MW WP Form <= 4.4.2 - Directory Traversal via _file_upload
https://notcve.org/view.php?id=CVE-2023-28409
08 May 2023 — Unrestricted upload of file with dangerous type exists in MW WP Form versions v4.4.2 and earlier, which may allow a remote unauthenticated attacker to upload an arbitrary file. The MW WP Form plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.4.2 via the _file_upload function. This allows unauthenticated attackers to upload files of allowed types to arbitrary directories on the site. • https://jvn.jp/en/jp/JVN01093915 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-434: Unrestricted Upload of File with Dangerous Type •