CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47377 – WordPress BuddyForms plugin <= 2.8.12 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-47377
30 Sep 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ThemeKraft BuddyForms allows Stored XSS.This issue affects BuddyForms: from n/a through 2.8.12. The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.8.12 due to insufficient input sanitization and output escaping. This... • https://patchstack.com/database/vulnerability/buddyforms/wordpress-buddyforms-plugin-2-8-12-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5149 – BuddyForms <= 2.8.9 - Email Verification Bypass due to Insufficient Randomness
https://notcve.org/view.php?id=CVE-2024-5149
04 Jun 2024 — The BuddyForms plugin for WordPress is vulnerable to Email Verification Bypass in all versions up to, and including, 2.8.9 via the use of an insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification. El complemento BuddyForms para WordPress es vulnerable a la omisión de verificación de correo electrónico en todas las versiones hasta la 2.8.9 incluida mediante el uso de un código de activación insuficientemente aleatorio. Esto hace posible qu... • https://plugins.trac.wordpress.org/browser/buddyforms/tags/2.8.9/includes/wp-insert-user.php#L334 • CWE-330: Use of Insufficiently Random Values •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32830 – WordPress buddyforms plugin <= 2.8.8- Arbitrary File Read and SSRF vulnerability
https://notcve.org/view.php?id=CVE-2024-32830
22 Apr 2024 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThemeKraft BuddyForms allows Server Side Request Forgery, Relative Path Traversal.This issue affects BuddyForms: from n/a through 2.8.8. Vulnerabilidad de limitación incorrecta de nombre de ruta a un directorio restringido ("Path Traversal") en ThemeKraft BuddyForms permite Server Side Request Forgery y path traversal relativo. Este problema afecta a BuddyForms: desde n/a hasta 2.8.8. The Post Form – Registration... • https://patchstack.com/database/vulnerability/buddyforms/wordpress-buddyforms-plugin-2-8-8-arbitrary-file-read-and-ssrf-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30198 – WordPress Buddyforms plugin <= 2.8.5 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-30198
25 Mar 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeKraft BuddyForms allows Reflected XSS.This issue affects BuddyForms: from n/a through 2.8.5. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Cross-site Scripting') en ThemeKraft BuddyForms permite el XSS reflejado. Este problema afecta a BuddyForms: desde n/a hasta 2.8.5. The BuddyForms plugin for WordPress is vulnerable to Reflected Cross-Site Script... • https://patchstack.com/database/vulnerability/buddyforms/wordpress-buddyforms-plugin-2-8-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26326 – BuddyForms <= 2.7.7 - PHAR Deserialization
https://notcve.org/view.php?id=CVE-2023-26326
20 Feb 2023 — The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. The BuddyForms plugin for WordPress is vulnerable to deserialization of untrusted input via the 'url' parameter in versions up to, and in... • https://www.tenable.com/security/research/tra-2023-7 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-21003 – Post, Registration and Profile Form Builder – FrontEnd Editor BuddyForms – Easy WordPress Forms <= 2.2.7 - SQL Injection
https://notcve.org/view.php?id=CVE-2018-21003
09 Nov 2018 — The buddyforms plugin before 2.2.8 for WordPress has SQL injection. El plugin buddyforms versiones anteriores a 2.2.8 para WordPress, presenta una inyección SQL. The Buddyforms plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.2.7 due to insufficient escaping on a user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that ca... • https://wordpress.org/plugins/buddyforms/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •