CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1547 – Check & Log email < 1.0.6 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1547
The Check & Log Email WordPress plugin before 1.0.6 does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting El plugin Check & Log Email de WordPress versiones anteriores a 1.0.6, no sanea y escapa de un parámetro antes de devolverlo en un atributo en una página de administración, conllevando a un ataue de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/83eca346-7045-414e-81fc-e0d9b735f0bd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 425EXPL: 0CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve https://wpscan.com/vulnerability/6dae6dca-7474-4008-9fe5-4c62b9f12d0a https://freemius.com/blog/managing-security-issues-open-source-freemius-sdk-security-disclosure https://wpdirectory.net/search/01FWPVWA7BC5DYGZHNSZQ9QMN5 https://wpdirectory.net/search/01G02RSGMFS1TPT63FS16RWEYR https://web.archive.org/web/20220225174410/https%3A//www.pluginvulnerabilities.com/2022/02/25/our-security-review-of-wordpress-plugin-found-freemius-li • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24908 – Check & Log Email < 1.0.4 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24908
The Check & Log Email WordPress plugin before 1.0.4 does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting El plugin Check & Log Email de WordPress versiones anteriores a 1.0.4, no escapa el parámetro d antes de devolverlo en un atributo, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/77f50129-4b1f-4e50-8321-9dd32deba6e1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24774 – Check & Log Email < 1.0.3 - Admin+ SQL Injections
https://notcve.org/view.php?id=CVE-2021-24774
The Check & Log Email WordPress plugin before 1.0.3 does not validate and escape the "order" and "orderby" GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues El plugin Check & Log Email de WordPress versiones anteriores a 1.0.3, no comprueba ni escapa de los parámetros GET "order" y "orderby" antes de usarlos en una sentencia SQL cuando son visualizados los registros, conllevando a problemas de inyecciones SQL • https://wpscan.com/vulnerability/f80ef09a-d3e2-4d62-8532-f0ebe59ae110 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •