CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48320 – WordPress Video Player Plugin <= 1.5.22 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-48320
23 Nov 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebDorado SpiderVPlayer allows Stored XSS.This issue affects SpiderVPlayer: from n/a through 1.5.22. Vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en WebDorado SpiderVPlayer permite almacenar XSS. Este problema afecta a SpiderVPlayer: desde n/a hasta 1.5.22. The SpiderVPlayer plugin for WordPress is vulnerable to Stored Cross-Site Scr... • https://patchstack.com/database/vulnerability/player/wordpress-spidervplayer-plugin-1-5-22-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5709 – WD WidgetTwitter <= 1.0.9 - Authenticated (Contributor+) SQL Injection via Shortcode
https://notcve.org/view.php?id=CVE-2023-5709
06 Nov 2023 — The WD WidgetTwitter plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. El complemento WD Widg... • https://plugins.trac.wordpress.org/browser/widget-twitter/trunk/twitter.php?rev=2212825#L161 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46619 – WordPress Spider Facebook Plugin <= 1.0.15 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-46619
25 Oct 2023 — Cross-Site Request Forgery (CSRF) vulnerability in WebDorado WDSocialWidgets plugin <= 1.0.15 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento WebDorado WDSocialWidgets en versiones <= 1.0.15. The Spider Facebook plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.15. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged reques... • https://patchstack.com/database/vulnerability/spider-facebook/wordpress-wdsocialwidgets-plugin-1-0-15-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5048 – WDContactFormBuilder <= 1.0.72 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2023-5048
23 Oct 2023 — The WDContactFormBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Contact_Form_Builder' shortcode in versions up to, and including, 1.0.72 due to insufficient input sanitization and output escaping on 'id' user supplied attribute. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento WDContactFormBuilder para WordPres... • https://plugins.trac.wordpress.org/browser/contact-form-builder/tags/1.0.72/frontend/views/CFMViewForm_maker.php#L102 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46090 – WordPress Spider Facebook Plugin <= 1.0.15 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-46090
17 Oct 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WebDorado WDSocialWidgets plugin <= 1.0.15 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada no autenticada en el complemento WebDorado WDSocialWidgets en versiones <= 1.0.15. The WDSocialWidgets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenti... • https://patchstack.com/database/vulnerability/spider-facebook/wordpress-wdsocialwidgets-plugin-1-0-15-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45632 – WordPress Video Player Plugin <= 1.5.22 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-45632
11 Oct 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WebDorado SpiderVPlayer plugin <= 1.5.22 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada en el complemento WebDorado SpiderVPlayer en versiones <= 1.5.22. The Video Player plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in versions up to, and including, 1.5.22 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attac... • https://patchstack.com/database/vulnerability/player/wordpress-spidervplayer-plugin-1-5-22-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2655 – Contact Form by WD <= 1.13.23 - Admin+ SQLi
https://notcve.org/view.php?id=CVE-2023-2655
15 Jun 2023 — The Contact Form by WD WordPress plugin through 1.13.23 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin El complemento Contact Form de WD WordPress hasta la versión 1.13.23 no sanitiza ni escapa adecuadamente un parámetro antes de usarlo en una declaración SQL, lo que genera una inyección de SQL explotable por usuarios con privilegios elevados, como el administrador. The Contact Form Maker plug... • https://wpscan.com/vulnerability/b3f2d38f-8eeb-45e9-bb58-2957e416e1cd • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24625 – SpiderCatalog <= 1.7.3 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24625
07 Oct 2021 — The SpiderCatalog WordPress plugin through 1.7.3 does not sanitise or escape the 'parent' and 'ordering' parameters from the admin dashboard before using them in a SQL statement, leading to a SQL injection when adding a category El plugin SpiderCatalog de WordPress versiones hasta 1.7.3, no sanea ni escapa de los parámetros "parent" y "ordering" del panel de administración antes de usarlos en una sentencia SQL, conllevando a una inyección SQL cuando se añade una categoría • https://codevigilant.com/disclosure/2021/wp-plugin-catalog • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24426 – Backup by 10Web <= 1.0.20 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24426
16 Jun 2021 — The Backup by 10Web – Backup and Restore Plugin WordPress plugin through 1.0.20 does not sanitise or escape the tab parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue El plugin de WordPress Backup by 10Web - Backup and Restore versiones hasta 1.0.20, no sanea o escapa del parámetro tab antes de emitirlo en la página, conllevando a un problema de tipo Cross-Site Scripting reflejado • https://m0ze.ru/vulnerability/%5B2021-05-23%5D-%5BWordPress%5D-%5BCWE-79%5D-Backup-by-10Web-WordPress-Plugin-v1.0.20.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-11557 – WDContactFormBuilder <= 1.0.68 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2019-11557
23 Apr 2019 — The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST['action'] value and the $_GET['action'] value, and the latter is unsanitized. El plugin WebDorado Contact Form Builder versión anterior a la 1.0.69 para Wordpress tiene Cross-Site Request Forgery (CSRF) mediante el parámetro de acción wp-admin/admin-ajax.php. Resul... • http://seclists.org/fulldisclosure/2019/Apr/35 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-352: Cross-Site Request Forgery (CSRF) •