CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-1306 – Newscrunch <= 1.8.4 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-1306
03 Mar 2025 — The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. WordPress Newscrunch theme version 1.8.4 suffers from a cross site request forg... • https://packetstorm.news/files/id/190148 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 3CVE-2025-1307 – Newscrunch <= 1.8.4 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-1307
03 Mar 2025 — The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. WordPress Newscrunch theme version 1.8.4.1 suffers from a remote shell upload vulnerability. • https://packetstorm.news/files/id/190147 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8430 – Spice Starter Sites <= 1.2.5 - Missing Authorization to Unauthenticated Demo Content Import
https://notcve.org/view.php?id=CVE-2024-8430
30 Sep 2024 — The Spice Starter Sites plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the spice_starter_sites_importer_creater function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to import demo content. El complemento Spice Starter Sites para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en la función spice_starter_sites_importer_creater en ... • https://plugins.trac.wordpress.org/browser/spice-starter-sites/tags/1.2.5/spice-starter-sites.php#L1123 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 2CVE-2023-5362 – Carousel, Recent Post Slider and Banner Slider <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2023-5362
20 Oct 2023 — The Carousel, Recent Post Slider and Banner Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'spice_post_slider' shortcode in versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Carousel, Recent Post ... • https://plugins.trac.wordpress.org/browser/spice-post-slider/tags/1.9/include/view/shortcode.php#L102 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •