CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 9CVE-2024-2023 – Folders <= 3.0 and Folders Pro <= 3.0.2 - Directory Traversal via handle_folders_file_upload
https://notcve.org/view.php?id=CVE-2024-2023
13 Jun 2024 — The Folders and Folders Pro plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.0 in Folders and 3.0.2 in Folders Pro via the 'handle_folders_file_upload' function. This makes it possible for authenticated attackers, with author access and above, to upload files to arbitrary locations on the server. El complemento Folders and Folders Pro para WordPress es vulnerable a Directory Traversal en todas las versiones hasta la 3.0 en Folders y la 3.0.2 en Folders Pro a ... • https://github.com/W01fh4cker/CVE-2024-27198-RCE • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 50CVE-2024-2024 – Folders Pro <= 3.0.2 - Authenticated(Author+) Arbitrary File Upload via handle_folders_file_upload
https://notcve.org/view.php?id=CVE-2024-2024
13 Jun 2024 — The Folders Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_folders_file_upload' function in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with author access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Folders Pro para WordPress es vulnerable a cargas de archivos arbitrarias debido a la falta de validación del... • https://github.com/Notselwyn/CVE-2024-1086 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-7048 – My Sticky Bar <= 2.6.6 - Cross-Site Request Forgery to Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2023-7048
03 Jan 2024 — The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger the export of a CSV file containing contact leads via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Because the CSV file is exported to a public location, it can b... • https://plugins.trac.wordpress.org/changeset/3016780/mystickymenu • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47759 – WordPress Chaty Plugin <= 3.1.2 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-47759
13 Nov 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premio Chaty plugin <= 3.1.2 versions. Vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en el complemento Premio Chaty en versiones <= 3.1.2. The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin s... • https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-3-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5509 – myStickymenu < 2.6.5 - Subscriber+ Arbitrary Form Leads Deletion
https://notcve.org/view.php?id=CVE-2023-5509
27 Oct 2023 — The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions. El complemento myStickymenu de WordPress anterior a 2.6.5 no autoriza adecuadamente algunas llamadas ajax, lo que permite que cualquier usuario que haya iniciado sesión realice las acciones. The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any Theme – My Sticky Bar (formerly myStickymenu) plugin for WordPress is vuln... • https://wpscan.com/vulnerability/3b33c262-e7f0-4310-b26d-4727d7c25c9d • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40204 – WordPress Folders Plugin <= 2.9.2 is vulnerable to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-40204
28 Aug 2023 — Unrestricted Upload of File with Dangerous Type vulnerability in Premio Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager.This issue affects Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager: from n/a through 2.9.2. Carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Premio Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager. Este problema afecta a Folders – Unlimited Fo... • https://patchstack.com/database/vulnerability/folders/wordpress-folders-plugin-2-9-2-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3248 – All-in-one Floating Contact Form < 2.1.2 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-3248
03 Jul 2023 — The All-in-one Floating Contact Form WordPress plugin before 2.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The All-in-one Floating Contact Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.1.1 due to insufficient input sanitization and o... • https://wpscan.com/vulnerability/90c7496b-552f-4566-b7ae-8c953c965352 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3245 – Floating Chat Widget < 3.1.2 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-3245
26 Jun 2023 — The Floating Chat Widget WordPress plugin before 3.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) The Floating Chat Widget - Chaty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. ... • https://wpscan.com/vulnerability/f9f8ae7e-6621-4e29-9257-b8306dbe8811 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25019 – WordPress Chaty Plugin <= 3.0.9 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-25019
16 May 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Premio Chaty plugin <= 3.0.9 versions Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada en el plugin Chaty de Premio para las versiones 3.0.9 e inferiores. Para explotar esta vulnerabilidad no hace falta estar autenticado. The Chaty plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'channel' parameters in versions up to, and including, 3.0.9 due to insufficient input sanitization and output escaping. This makes it ... • https://patchstack.com/database/vulnerability/chaty/wordpress-chaty-plugin-3-0-9-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0487 – My Sticky Elements < 2.0.9 - Admin+ SQLi
https://notcve.org/view.php?id=CVE-2023-0487
09 Feb 2023 — The My Sticky Elements WordPress plugin before 2.0.9 does not properly sanitise and escape a parameter before using it in a SQL statement when deleting messages, leading to a SQL injection exploitable by high privilege users such as admin The My Sticky Elements plugin for WordPress is vulnerable to SQL Injection via the 'delete_message' parameter in versions up to, and including, 2.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. T... • https://wpscan.com/vulnerability/0e874a1d-c866-45fa-b456-c8012dca32af • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •