CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6980 – WP SMS <= 6.5 - Cross-Site Request Forgery to Subscriber Deletion
https://notcve.org/view.php?id=CVE-2023-6980
02 Jan 2024 — The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5. This is due to missing or incorrect nonce validation on the 'delete' action of the wp-sms-subscribers page. This makes it possible for unauthenticated attackers to delete subscribers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. WP SMS – Messa... • https://github.com/wp-sms/wp-sms/commit/0f36e2f521ade8ddfb3e04786defe074370afb50 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6981 – WP SMS <= 6.5 - Authenticated (Admin+) SQL Injection to Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6981
02 Jan 2024 — The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to SQL Injection via the 'group_id' parameter in all versions up to, and including, 6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to ext... • https://github.com/wp-sms/wp-sms/commit/6656de201efe67c7983102c344a546eed976a819 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32742 – WordPress WP SMS Plugin <= 6.1.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-32742
15 May 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in VeronaLabs WP SMS plugin <= 6.1.4 versions. Se ha identificado una vulnerabilidad de Cross-Site Scripting (XSS) Reflejado en el plugin WP SMS de VeronaLabs, la cual afecta a las versiones 6.1.4 e inferiores. Para explotar esta vulnerabilidad hace no falta estar autenticado. The WP SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delete_mobile' parameter in versions up to, and including, 6.1.4 due to insufficient i... • https://patchstack.com/database/vulnerability/wp-sms/wordpress-wp-sms-plugin-6-1-4-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0955 – WP Statistics < 14.0 - Authenticated SQLi
https://notcve.org/view.php?id=CVE-2023-0955
06 Mar 2023 — The WP Statistics WordPress plugin before 14.0 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well. The WP Statistics plugin for WordPress is vulnerable to SQL Injection via the $days_time_list value in versions up to, and including, 13.2.16 due to insufficient escaping on the u... • https://wpscan.com/vulnerability/18b7e93f-b038-4f28-918b-4015d62f0eb8 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27447 – WordPress WP SMS Plugin <= 6.0.4 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2023-27447
02 Mar 2023 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in VeronaLabs WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc.This issue affects WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc: from n/a through 6.0.4. Vulnerabilidad de exposición de información confidencial a un actor no autorizado en VeronaLabs WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc. Este problema afecta a WP SM... • https://patchstack.com/database/vulnerability/wp-sms/wordpress-wp-sms-plugin-6-0-4-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38074 – WordPress WP Statistics Plugin <= 13.2.10 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2022-38074
31 Jan 2023 — SQL Injection vulnerability in VeronaLabs WP Statistics plugin <= 13.2.10 versions. The WP Statistics plugin for WordPress is vulnerable to SQL Injection via the ‘limit’ parameter in versions up to, and including, 13.2.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for subscriber-level attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information f... • https://patchstack.com/database/vulnerability/wp-statistics/wordpress-wp-statistics-plugin-13-2-10-multiple-authenticated-sql-injection-vulnerabilities?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4230 – WP Statistics < 13.2.9 - Authenticated SQLi
https://notcve.org/view.php?id=CVE-2022-4230
27 Dec 2022 — The WP Statistics WordPress plugin before 13.2.9 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well. Las versiones del complemento WP Statistics de WordPress anteriores a la 13.2.9 no escapan uno de los parámetros, lo que podría permitir a usuarios autenticados realizar ataques... • https://wpscan.com/vulnerability/a0e40cfd-b217-481c-8fc4-027a0a023312 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27231 – WP Statistics <= 13.1.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-27231
24 May 2022 — Cross-site scripting vulnerability exists in WP Statistics versions prior to 13.2.0 because it improperly processes a platform parameter. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the website using the product. Se presenta una vulnerabilidad de tipo cross-site scripting en WP Statistics versiones anteriores a 13.2.0, porque procesa inapropiadamente un parámetro de plataforma. Al explotar esta vulnerabilidad, puede ejecutarse un ... • https://jvn.jp/en/jp/JVN15241647/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1005 – WP Statistics < 13.2.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1005
11 May 2022 — The WP Statistics WordPress plugin before 13.2.2 does not sanitise the REQUEST_URI parameter before outputting it back in the rendered page, leading to Cross-Site Scripting (XSS) in web browsers which do not encode characters El plugin WP Statistics de WordPress versiones anteriores a 13.2.2, no sanea el parámetro REQUEST_URI antes de devolverlo a la página, lo que conlleva problemas de tipo Cross-Site Scripting (XSS) en los navegadores que no codifican los caracteres • https://wpscan.com/vulnerability/f37d1d55-10cc-4202-8d16-9ec2128f54f9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-25307 – WP Statistics <= 13.1.5 Unauthenticated Stored Cross-Site Scripting via platform
https://notcve.org/view.php?id=CVE-2022-25307
17 Feb 2022 — The WP Statistics WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the platform parameter found in the ~/includes/class-wp-statistics-hits.php file which allows attackers to inject arbitrary web scripts onto several pages that execute when site administrators view a sites statistics, in versions up to and including 13.1.5. El plugin WP Statistics de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting debido a un escape y saneo insuficientes... • https://gist.github.com/Xib3rR4dAr/8090a6d026d4601083cff80aa80de7eb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •