CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-31220 – WordPress WP Categories Widget Plugin <= 2.2 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-31220
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WP-EXPERTS.IN TEAM WP Categories Widget plugin <= 2.2 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada en el complemento en WP-EXPERTS.IN TEAM WP Categories Widge versiones <= 2.2 The WP Categories Widget plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in the wcw_terms_list() function called via an AJAX action in versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/wp-categories-widget/wordpress-wp-categories-widget-plugin-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3139 – Protect WP Admin < 4.0 - Unauthenticated Protection Bypass
https://notcve.org/view.php?id=CVE-2023-3139
The Protect WP Admin WordPress plugin before 4.0 discloses the URL of the admin panel via a redirection of a crafted URL, bypassing the protection offered. The Protect WP Admin plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 3.8. This is due to a data leak when performing a redirect after processing a crafted request. This makes it possible for unauthenticated attackers to disclose the URL of the admin panel and bypass intended protections. • https://magos-securitas.com/txt/CVE-2023-3139.txt https://wpscan.com/vulnerability/f8a29aee-19cd-4e62-b829-afc9107f69bd • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1717 – Custom Share Buttons with Floating Sidebar < 4.2 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-1717
The Custom Share Buttons with Floating Sidebar WordPress plugin before 4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed El plugin Custom Share Buttons with Floating Sidebar de WordPress versiones anteriores a 4.2, no sanea ni escapa de algunas de sus configuraciones, lo que podría permitir a usuarios muy privilegiados, como los administradores, llevar a cabo ataques de tipo Cross-Site Scripting Almacenado cuando la capacidad unfiltered_html no está permitida The Custom Share Buttons with Floating Sidebar plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 4.1 via several parameters. This makes it possible for authenticated attackers to inject arbitrary web scripts that may execute when a victim accesses a page containing the malicious payload. • https://wpscan.com/vulnerability/79a532e9-bc6e-4722-8d67-9c15720d06a6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0874 – WP Social Buttons <= 2.1 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0874
The WP Social Buttons WordPress plugin through 2.1 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin WP Social Buttons de WordPress versiones hasta 2.1, no sanea ni escapa de su configuración, permitiendo a usuarios con altos privilegios, como los administradores, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html no está permitida • https://wpscan.com/vulnerability/36cdd130-9bb7-4274-bac6-07d00008d810 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24906 – Protect WP Admin < 3.6.2 - Unauthenticated Plugin Deactivation
https://notcve.org/view.php?id=CVE-2021-24906
The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin (and therefore the protection offered) via a crafted request El plugin Protect WP Admin de WordPress versiones anteriores a 3.6.2, no comprueba la autorización en el archivo lib/pwa-deactivate.php, lo que podría permitir a usuarios no autenticados deshabilitar el plugin (y por tanto la protección ofrecida) por medio de una petición diseñada The Protect WP Admin WordPress plugin before 3.7 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin (and therefore the protection offered) via a crafted request • https://wpscan.com/vulnerability/4204682b-f657-42e1-941c-bee7a245e9fd • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •