CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 1CVE-2022-3477 – tagDiv Composer < 3.5 - Unauthenticated Account Takeover
https://notcve.org/view.php?id=CVE-2022-3477
24 Oct 2022 — The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address El complemento de WordPress tagDiv Composer anterior a 3.5, requerido por el tema Newspaper WordPress anterior a 12.1 y el tema Newsmag de WordPress anterior a 5.2.2, no implementa correctamente la función de inicio de ... • https://wpscan.com/vulnerability/993a95d2-6fce-48de-ae17-06ce2db829ef • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2167 – Newspaper < 12 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2167
10 Oct 2022 — The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting El tema Newspaper WordPress anterior a la 12 no sanitiza un parámetro antes de devolverlo a un atributo HTML a través de una acción AJAX, lo que genera Reflected Cross-Site Scripting. The Newspaper theme for WordPress is vulnerable to Reflected Cross-Site Scripting via an AJAX action in versions up to, and including, 11.5.1 due t... • https://wpscan.com/vulnerability/ad35fbae-1e90-47a0-b1d2-f8d91a5db90e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 30%CPEs: 1EXPL: 1CVE-2022-2627 – Newspaper < 12 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2627
10 Oct 2022 — The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting. El tema Newspaper WordPress anterior a la 12 no sanitiza un parámetro antes de devolverlo a un atributo HTML a través de una acción AJAX, lo que genera Reflected Cross-Site Scripting. The Newspaper theme for WordPress is vulnerable to Reflected Cross-Site Scripting via an AJAX action in versions up to, and including, 11.5.1 due ... • https://wpscan.com/vulnerability/038327d0-568f-4011-9b7e-3da39e8b6aea • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2021-3135 – Newspaper Lite < 11.0 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-3135
30 Jun 2021 — An issue was discovered in the tagDiv Newspaper theme 10.3.9.1 for WordPress. It allows XSS via the wp-admin/admin-ajax.php td_block_id parameter in a td_ajax_block API call. Se ha descubierto un problema en tagDiv Newspaper theme versión 10.3.9.1 para WordPress. Permite un ataque de tipo XSS por medio del parámetro wp-admin/admin-ajax.php td_block_id en una llamada a la API td_ajax_block • https://tagdiv.com/newspaper • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 1CVE-2016-10972 – Newspaper - News & WooCommerce WordPress Theme <= 6.7 - Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2016-10972
06 Jun 2016 — The newspaper theme before 6.7.2 for WordPress has a lack of options access control via td_ajax_update_panel. El tema newspaper versiones anteriores a 6.7.2 para WordPress, posee una falta de opciones de control de acceso mediante la función td_ajax_update_panel. • https://wpvulndb.com/vulnerabilities/8852 • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2017-18634 – Newspaper - News & WooCommerce WordPress Theme < 6.7.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18634
06 Jun 2016 — The newspaper theme before 6.7.2 for WordPress has script injection via td_ads[header] to admin-ajax.php. El tema newspaper versiones anteriores a 6.7.2 para WordPress, presenta una inyección de script por medio de la función td_ads[header] en el archivo admin-ajax.php. • https://blog.sucuri.net/2017/06/unwanted-shorte-st-ads-in-unpatched-newspaper-theme.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •