CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35726 – WordPress WooBuddy plugin <= 3.4.19 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-35726
06 Jun 2024 — Missing Authorization vulnerability in ThemeKraft WooBuddy.This issue affects WooBuddy: from n/a through 3.4.19. Vulnerabilidad de autorización faltante en ThemeKraft WooBuddy. Este problema afecta a WooBuddy: desde n/a hasta 3.4.19. The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wc4bp_shop_profile_sync_ajax() function in versions up to, and including, 3.4.19. • https://patchstack.com/database/vulnerability/wc4bp/wordpress-woobuddy-plugin-3-4-19-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5149 – BuddyForms <= 2.8.9 - Email Verification Bypass due to Insufficient Randomness
https://notcve.org/view.php?id=CVE-2024-5149
04 Jun 2024 — The BuddyForms plugin for WordPress is vulnerable to Email Verification Bypass in all versions up to, and including, 2.8.9 via the use of an insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification. El complemento BuddyForms para WordPress es vulnerable a la omisión de verificación de correo electrónico en todas las versiones hasta la 2.8.9 incluida mediante el uso de un código de activación insuficientemente aleatorio. Esto hace posible qu... • https://plugins.trac.wordpress.org/browser/buddyforms/tags/2.8.9/includes/wp-insert-user.php#L334 • CWE-330: Use of Insufficiently Random Values •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5823 – WordPress TK Google Fonts GDPR Compliant Plugin <= 2.2.11 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-5823
24 Oct 2023 — Cross-Site Request Forgery (CSRF) vulnerability in ThemeKraft TK Google Fonts GDPR Compliant plugin <= 2.2.11 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento ThemeKraft TK Google Fonts GDPR Compliant en versiones <= 2.2.11. The TK Google Fonts GDPR Compliant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tk_google_fonts_add_font function in all versions up to, and including, 2.2.11. This makes it possible fo... • https://patchstack.com/database/vulnerability/tk-google-fonts/wordpress-tk-google-fonts-gdpr-compliant-plugin-2-2-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25981 – WordPress BuddyForms Plugin <= 2.8.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-25981
11 May 2023 — Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ThemeKraft Post Form plugin <= 2.8.1 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Almacenada en el plugin Post Form de ThemeKraft que afecta a las versiones versiones 2.8.1 e inferiores. Para explotar esta vulnerabilidad hace falta estar autenticado y tener permisos de colaborador o superior. The Post, Registration and Profile Form Builder – FrontEnd Editor BuddyForms – Easy WordPress Forms plugin for WordPress is vulnerable t... • https://patchstack.com/database/vulnerability/buddyforms/wordpress-buddyforms-plugin-2-8-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2023-26326 – BuddyForms <= 2.7.7 - PHAR Deserialization
https://notcve.org/view.php?id=CVE-2023-26326
20 Feb 2023 — The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. The BuddyForms plugin for WordPress is vulnerable to deserialization of untrusted input via the 'url' parameter in versions up to, and in... • https://github.com/omarelshopky/exploit_cve-2023-26326_using_cve-2024-2961 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38971 – WordPress BuddyForms Plugin <= 2.7.5 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-38971
27 Oct 2022 — Stored Cross-Site Scripting (XSS) vulnerability in ThemeKraft Post Form – Registration Form – Profile Form for User Profiles and Content Forms for User Submissions plugin <= 2.7.5 versions. The BuddyForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages th... • https://patchstack.com/database/vulnerability/buddyforms/wordpress-buddyforms-plugin-2-7-2-auth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-21003 – Post, Registration and Profile Form Builder – FrontEnd Editor BuddyForms – Easy WordPress Forms <= 2.2.7 - SQL Injection
https://notcve.org/view.php?id=CVE-2018-21003
09 Nov 2018 — The buddyforms plugin before 2.2.8 for WordPress has SQL injection. El plugin buddyforms versiones anteriores a 2.2.8 para WordPress, presenta una inyección SQL. The Buddyforms plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.2.7 due to insufficient escaping on a user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that ca... • https://wordpress.org/plugins/buddyforms/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •