CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32693 – WordPress Automatic plugin < 3.93.0 - Multiple Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-32693
Cross-Site Request Forgery (CSRF) vulnerability in ValvePress Automatic.This issue affects Automatic: from n/a before 3.93.0. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en ValvePress Automatic. Este problema afecta a Automático: desde n/a antes de 3.93.0. The WordPress Automatic Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.92.1. This is due to missing or incorrect nonce validation on an unknown function. • https://patchstack.com/database/vulnerability/wp-automatic/wordpress-automatic-plugin-3-93-0-multiple-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 13CVE-2024-27956 – WordPress Automatic plugin <= 3.92.0 - Unauthenticated Arbitrary SQL Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-27956
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0. La neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en ValvePress Automatic permite la inyección SQL. Este problema afecta a Automático: desde n/a hasta 3.92.0. The Automatic plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.92.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://github.com/AiGptCode/WordPress-Auto-Admin-Account-and-Reverse-Shell-cve-2024-27956 https://github.com/diego-tella/CVE-2024-27956-RCE https://github.com/CERTologists/EXPLOITING-CVE-2024-27956 https://github.com/truonghuuphuc/CVE-2024-27956 https://github.com/ThatNotEasy/CVE-2024-27956 https://github.com/k3ppf0r/CVE-2024-27956 https://github.com/Cappricio-Securities/CVE-2024-27956 https://github.com/X-Projetion/CVE-2024-27956-WORDPRESS-RCE-PLUGIN https://github.com/FoxyProxys/CVE&# • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27955 – WordPress Automatic plugin <= 3.92.0 - CSRF to Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2024-27955
Cross-Site Request Forgery (CSRF) vulnerability in WP Automatic Automatic allows Privilege Escalation.This issue affects Automatic: from n/a through 3.92.0. La vulnerabilidad de Cross-Site Request Forgery (CSRF) en WP Automatic Automatic permite la escalada de privilegios. Este problema afecta a Automatic: desde n/a hasta 3.92.0. The Automatic plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.92.0. This is due to missing or incorrect nonce validation on a function. • https://patchstack.com/database/vulnerability/wp-automatic/wordpress-automatic-plugin-3-92-0-privilege-escalation-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27954 – WordPress Automatic plugin <= 3.92.0 - Unauthenticated Arbitrary File Download and SSRF vulnerability
https://notcve.org/view.php?id=CVE-2024-27954
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server Side Request Forgery.This issue affects Automatic: from n/a through 3.92.0. Limitación incorrecta de un nombre de ruta a una vulnerabilidad de directorio restringido ("Path Traversal") en WP Automatic Automatic permite el path traversal y Server Side Request Forgery. Este problema afecta a Automático: desde n/a hasta 3.92.0. The WordPress Automatic Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery and Arbitrary File Downloads in all versions up to, and including, 3.92.0. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services in addition to accessing arbitrary files on the server that may contain sensitive information. • https://patchstack.com/database/vulnerability/wp-automatic/wordpress-automatic-plugin-3-92-0-unauthenticated-arbitrary-file-download-and-ssrf-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-918: Server-Side Request Forgery (SSRF) •