CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51506 – WordPress WPCS Plugin <= 1.2.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-51506
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 WPCS – WordPress Currency Switcher Professional allows Stored XSS.This issue affects WPCS – WordPress Currency Switcher Professional: from n/a through 1.2.0. La vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web ('Cross-site Scripting') en realmag777 WPCS – WordPress Currency Switcher Professional permite XSS almacenado. Este problema afecta a WPCS – WordPress Currency Switcher Professional: desde n/a hasta 1.2.0. The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/currency-switcher/wordpress-wpcs-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2556 – WPCS – WordPress Currency Switcher Professional <= 1.1.9 - Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Deletion
https://notcve.org/view.php?id=CVE-2023-2556
The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the anonymous function for the wpcs_sd_delete action in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete an arbitrary custom drop-down currency switcher. • https://plugins.trac.wordpress.org/changeset/2911049/currency-switcher https://www.wordfence.com/threat-intel/vulnerabilities/id/bc44c95e-9ca0-46d0-8315-72612ef3f855?source=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20780 – Currency Switcher <= 1.1.6 - Cross-site request forgery
https://notcve.org/view.php?id=CVE-2021-20780
Cross-site request forgery (CSRF) vulnerability in WPCS - WordPress Currency Switcher 1.1.6 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. Una vulnerabilidad de tipo Cross-site request forgery (CSRF) en WPCS - WordPress Currency Switcher versiones 1.1.6 y anteriores, permite a atacantes remotos secuestrar la autenticación de los administradores por medio de vectores no especificados The Currency Switcher plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.6. This is due to missing or incorrect nonce validation on the print_plugin_options() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts granted they can trick a site administrator into performing an action such as clicking on a link. • https://jvn.jp/en/jp/JVN91372527/index.html https://pluginus.net https://wordpress.org/plugins/currency-switcher • CWE-352: Cross-Site Request Forgery (CSRF) •