CVE-2022-41695 – WordPress Traffic Manager Plugin <= 1.4.5 is vulnerable to Broken Access Control
https://notcve.org/view.php?id=CVE-2022-41695
Missing Authorization vulnerability in SedLex Traffic Manager.This issue affects Traffic Manager: from n/a through 1.4.5. Vulnerabilidad de autorización faltante en SedLex Traffic Manager. Este problema afecta a Traffic Manager: desde n/a hasta 1.4.5. The Traffic Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on an unknown function in versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to access functionality or information not intended for them. • https://patchstack.com/database/vulnerability/traffic-manager/wordpress-traffic-manager-plugin-1-4-5-multiple-vulnerabilities?_s_id=cve • CWE-862: Missing Authorization •
CVE-2022-42460 – WordPress Traffic Manager plugin <= 1.4.5 - Broken Access Control vulnerability leading to Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-42460
Broken Access Control vulnerability leading to Stored Cross-Site Scripting (XSS) in Traffic Manager plugin <= 1.4.5 on WordPress. Vulnerabilidad de Control de Acceso Roto que conduce a Cross-Site Scripting (XSS) Almacenado en el complemento Traffic Manager en WordPress en versiones <= 1.4.5. The Traffic Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/traffic-manager/wordpress-traffic-manager-plugin-1-4-5-broken-access-control-vulnerability-leading-to-stored-cross-site-scripting-xss?_s_id=cve https://wordpress.org/plugins/traffic-manager • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-264: Permissions, Privileges, and Access Controls •
CVE-2022-41619 – WordPress Image Zoom Plugin <= 1.8.8 is vulnerable to Broken Access Control
https://notcve.org/view.php?id=CVE-2022-41619
Missing Authorization vulnerability in SedLex Image Zoom.This issue affects Image Zoom: from n/a through 1.8.8. Vulnerabilidad de falta de autorización en SedLex Image Zoom. Este problema afecta a Image Zoom: desde n/a hasta 1.8.8. The Image Zoom plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several of its AJAX functions in versions up to, and including, 1.8.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke them leading to translation modifications. • https://patchstack.com/database/vulnerability/image-zoom/wordpress-image-zoom-plugin-1-8-8-multiple-broken-access-control-vulnerabilities?_s_id=cve • CWE-862: Missing Authorization •
CVE-2022-40219 – WordPress FavIcon Switcher plugin <= 1.2.11 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-40219
Cross-Site Request Forgery (CSRF) vulnerability in SedLex FavIcon Switcher plugin <= 1.2.11 at WordPress allows plugin settings change. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin SedLex FavIcon Switcher versiones anteriores a 1.2.11 incluyéndola en WordPress, que permite cambiar la configuración del plugin The FavIcon Switcher plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.11. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this function granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/favicon-switcher/wordpress-favicon-switcher-plugin-1-2-11-cross-site-request-forgery-csrf-vulnerability https://wordpress.org/plugins/favicon-switcher • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-22735 – Simple Quotation <= 1.3.2 - Subscriber+ SQL injection
https://notcve.org/view.php?id=CVE-2022-22735
The Simple Quotation WordPress plugin through 1.3.2 does not have authorisation (and CSRF) checks in various of its AJAX actions and is lacking escaping of user data when using it in SQL statements, allowing any authenticated users, such as subscriber to perform SQL injection attacks El plugin Simple Quotation de WordPress versiones hasta 1.3.2, no dispone de comprobaciones de autorización (y CSRF) en varias de sus acciones AJAX y carece de escapes de datos de usuario cuando los usa en sentencias SQL, permitiendo a cualquier usuario autenticado, como el suscriptor, llevar a cabo ataques de inyección SQL • https://wpscan.com/vulnerability/6940a97e-5a75-405c-be74-bedcc3a8ee00 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •