CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1075 – Minimal Coming Soon – Coming Soon Page <= 2.37 - Unauthenticated Maintenance Mode Bypass
https://notcve.org/view.php?id=CVE-2024-1075
05 Feb 2024 — The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden. El complemento Minimal Coming Soon – Coming Soon Page para WordPress es vulnerable a la omisión del modo de mantenimiento y a la divulgación de informac... • https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php#L67 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50837 – WordPress Login Lockdown Plugin <= 2.06 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-50837
21 Dec 2023 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WebFactory Ltd Login Lockdown – Protect Login Form.This issue affects Login Lockdown – Protect Login Form: from n/a through 2.06. Neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ("inyección SQL") en WebFactory Ltd Login Lockdown – Protect Login Form. Este problema afecta a Login Lockdown – Protect Login Form: desde n/a hasta 2.06. The Login Lockdown – Protec... • https://patchstack.com/database/vulnerability/login-lockdown/wordpress-login-lockdown-protect-login-form-plugin-2-06-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49747 – WordPress Guest Author Plugin <= 2.3 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-49747
04 Dec 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebFactory Ltd Guest Author allows Stored XSS.This issue affects Guest Author: from n/a through 2.3. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Cross-site Scripting') en WebFactory Ltd Guest Author permite almacenar XSS. Este problema afecta a Guest Author: desde n/a hasta 2.3. The Guest Author plugin for WordPress is vulnerable to Stored Cross-Site Scri... • https://patchstack.com/database/vulnerability/guest-author/wordpress-guest-author-plugin-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR
https://notcve.org/view.php?id=CVE-2023-3601
24 Jul 2023 — The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor. The Simple Author Box plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.51. This is due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level permissions and above, to e... • https://wpscan.com/vulnerability/c0cc513e-c306-4920-9afb-e33d95a7292f • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1913 – Maps Widget for Google Maps <= 4.24 - Authenticated (Administrator+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-1913
06 Apr 2023 — The Maps Widget for Google Maps for WordPress is vulnerable to Stored Cross-Site Scripting via widget settings in versions up to, and including, 4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2893821%40google-maps-widget%2Ftrunk&old=2876127%40google-maps-widget%2Ftrunk&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0831 – Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_ucp_dismiss_notice
https://notcve.org/view.php?id=CVE-2023-0831
10 Feb 2023 — The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the dismiss_notice function called via the admin_action_ucp_dismiss_notice action. This makes it possible for unauthenticated attackers to dismiss plugin notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/under-construction-page/trunk/under-construction.php?rev=2848705#L901 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0832 – Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_install_weglot
https://notcve.org/view.php?id=CVE-2023-0832
10 Feb 2023 — The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the install_weglot function called via the admin_action_install_weglot action. This makes it possible for unauthenticated attackers to perform an unauthorized install of the Weglot Translate plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/under-construction-page/trunk/under-construction.php?rev=2848705#L2389 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1582 – External Links in New Window / New Tab < 1.43 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1582
09 May 2022 — The External Links in New Window / New Tab WordPress plugin before 1.43 does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible. El plugin External Links in New Window / New Tab de WordPress versiones anteriores a 1.43, no escapa correctamente las URLs que concatena en los manejadores de eventos onclick, lo que hace posible ataques de tipo Cross-Site Scripting Almacenado • https://wpscan.com/vulnerability/cbb75383-4351-4488-aaca-ddb0f6f120cd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1583 – External Links in New Window / New Tab < 1.43 - Tabnabbing
https://notcve.org/view.php?id=CVE-2022-1583
09 May 2022 — The External Links in New Window / New Tab WordPress plugin before 1.43 does not ensure window.opener is set to "null" when links to external sites are clicked, which may enable tabnabbing attacks to occur. El plugin External Links in New Window / New Tab de WordPress versiones anteriores a 1.43, no es asegurado de que window.opener sea establecido en "null" cuando hace clic en enlaces a sitios externos, lo que podría permitir que sean producidos ataques de tabnabbing • https://wpscan.com/vulnerability/aa9d727c-4d17-4220-b8cb-e6dec30361a9 • CWE-1022: Use of Web Link to Untrusted Target with window.opener Access •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36908 – WordPress WP Reset PRO Premium Plugin <= 5.98 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2021-36908
10 Nov 2021 — Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) conllevando a un restablecimiento de la base de datos en el plugin WP Reset PRO Premium de WordPress (versiones anteriores a 5.98 incluyéndola) permite a atacantes engañar a los autenticados para que realicen un restablecimiento involuntario de la base de datos. Cross-Site Request Forgery (CSRF) vulnerability leading to Database Reset in WordPr... • https://patchstack.com/database/vulnerability/wp-reset/wordpress-wp-reset-pro-premium-plugin-5-98-cross-site-request-forgery-csrf-vulnerability-leading-to-database-reset?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •