CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1075 – Minimal Coming Soon – Coming Soon Page <= 2.37 - Unauthenticated Maintenance Mode Bypass
https://notcve.org/view.php?id=CVE-2024-1075
The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden. El complemento Minimal Coming Soon – Coming Soon Page para WordPress es vulnerable a la omisión del modo de mantenimiento y a la divulgación de información en todas las versiones hasta la 2.37 incluida. Esto se debe a que el complemento validó incorrectamente la ruta de la solicitud. • https://plugins.trac.wordpress.org/browser/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php#L67 https://plugins.trac.wordpress.org/changeset/3031149/minimal-coming-soon-maintenance-mode/trunk/framework/public/init.php https://www.wordfence.com/threat-intel/vulnerabilities/id/78203b98-15bc-4d8e-9278-c472b518be07?source=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50837 – WordPress Login Lockdown Plugin <= 2.06 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-50837
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WebFactory Ltd Login Lockdown – Protect Login Form.This issue affects Login Lockdown – Protect Login Form: from n/a through 2.06. Neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ("inyección SQL") en WebFactory Ltd Login Lockdown – Protect Login Form. Este problema afecta a Login Lockdown – Protect Login Form: desde n/a hasta 2.06. The Login Lockdown – Protect Login Form plugin for WordPress is vulnerable to SQL Injection via the 'iDisplayStart' parameter in all versions up to 2.07 (exclusive) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/login-lockdown/wordpress-login-lockdown-protect-login-form-plugin-2-06-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49747 – WordPress Guest Author Plugin <= 2.3 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-49747
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebFactory Ltd Guest Author allows Stored XSS.This issue affects Guest Author: from n/a through 2.3. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Cross-site Scripting') en WebFactory Ltd Guest Author permite almacenar XSS. Este problema afecta a Guest Author: desde n/a hasta 2.3. The Guest Author plugin for WordPress is vulnerable to Stored Cross-Site Scripting via author name in versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/guest-author/wordpress-guest-author-plugin-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR
https://notcve.org/view.php?id=CVE-2023-3601
The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor. The Simple Author Box plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.51. This is due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level permissions and above, to expose sensitive user information. • https://wpscan.com/vulnerability/c0cc513e-c306-4920-9afb-e33d95a7292f • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1913 – Maps Widget for Google Maps <= 4.24 - Authenticated (Administrator+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-1913
The Maps Widget for Google Maps for WordPress is vulnerable to Stored Cross-Site Scripting via widget settings in versions up to, and including, 4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2893821%40google-maps-widget%2Ftrunk&old=2876127%40google-maps-widget%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/de871598-e4e7-49f6-8530-68243544c06c?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •