CVSS: 10.0EPSS: 70%CPEs: 1EXPL: 2CVE-2023-6933 – Better Search Replace <= 1.4.4 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-6933
24 Jan 2024 — The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. El complemento Better Searc... • https://github.com/w2xim3/CVE-2023-6933 • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23684 – WordPress WPGraphQL Plugin <= 1.14.5 is vulnerable to Server Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-23684
28 Jun 2023 — Server-Side Request Forgery (SSRF) vulnerability in WPGraphQL.This issue affects WPGraphQL: from n/a through 1.14.5. Vulnerabilidad de Server-Side Request Forgery (SSRF) en WPGraphQL. Este problema afecta a WPGraphQL: desde n/a hasta 1.14.5. The WPGraphQL plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.14.5 via createMediaItem. This can allow authenticated attackers with editor access or higher to make web requests to arbitrary locations originating from... • https://patchstack.com/database/vulnerability/wp-graphql/wordpress-wp-graphql-plugin-1-14-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24421 – WordPress PHP Compatibility Checker Plugin <= 1.5.2 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-24421
06 Apr 2023 — Cross-Site Request Forgery (CSRF) vulnerability in WP Engine PHP Compatibility Checker plugin <= 1.5.2 versions. The PHP Compatibility Checker plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.2. This is due to missing or incorrect nonce validation on the start_test and cleanup function. This makes it possible for unauthenticated attackers to start a new compatibility scan or delete scan results via a forged request granted they can trick a site administr... • https://patchstack.com/database/vulnerability/php-compatibility-checker/wordpress-php-compatibility-checker-plugin-1-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1563 – WPGraphQL WooCommerce <= 0.11.0 - Unauthenticated Coupon Codes Disclosure
https://notcve.org/view.php?id=CVE-2022-1563
26 Jul 2022 — The WPGraphQL WooCommerce WordPress plugin before 0.12.4 does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL. El complemento WPGraphQL WooCommerce WordPress anterior a 0.12.4 no impide que atacantes no autenticados enumeren los códigos de cupón y los valores de una tienda a través de GraphQL. The WPGraphQL WooCommerce plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 0.11.0. This can allow unauthenticated attacke... • https://github.com/wp-graphql/wp-graphql-woocommerce • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 425EXPL: 0CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
04 Mar 2022 — The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 63%CPEs: 1EXPL: 5CVE-2019-9879 – WPGraphQL <= 0.2.3 - Administrative User Creation
https://notcve.org/view.php?id=CVE-2019-9879
08 May 2019 — The WPGraphQL 0.2.3 plugin for WordPress allows remote attackers to register a new user with admin privileges, whenever new user registrations are allowed. This is related to the registerUser mutation. El plugin The WPGraphQL 0.2.3 para WordPress, permite a los atacantes remotos registrar un nuevo usuario con privilegios de administrador, donde siempre que nuevos registros de usuarios sean permitidos. Esto esta relacionado con la mutación registerUser. The WPGraphQL versions up to 0.2.3 for WordPress allows... • https://packetstorm.news/files/id/153025 • CWE-269: Improper Privilege Management CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 21%CPEs: 1EXPL: 5CVE-2019-9881 – WPGraphQL <= 0.2.3 - Unauthenticated Comment Creation
https://notcve.org/view.php?id=CVE-2019-9881
08 May 2019 — The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled. La mutación create Comment en la WPGraphQL 0.2.3. para WordPress permite a los usuarios no identificados publicar comentarios en cualquier articulo, incluso, cuando la opción "permitir" está deshabilitada The createComment mutation in WPGraphQL up to version 0.2.3 for WordPress allows unauthenticated users to post comments on any article,... • https://packetstorm.news/files/id/153025 • CWE-306: Missing Authentication for Critical Function CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 43%CPEs: 1EXPL: 5CVE-2019-9880 – WPGraphQL <= 0.2.3 - Information Exposure
https://notcve.org/view.php?id=CVE-2019-9880
08 May 2019 — An issue was discovered in the WPGraphQL 0.2.3 plugin for WordPress. By querying the 'users' RootQuery, it is possible, for an unauthenticated attacker, to retrieve all WordPress users details such as email address, role, and username. Se descubrió un problema en el plugin WPGraphQL 0.2.3 para WordPress. Consultando los usuarios RootQuery, esto es posible por un atacante sin identificar, para recuperar todos los detalles de los usuarios WordPress, como direcciones de email, administrador, y nombre de usuari... • https://packetstorm.news/files/id/153025 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-306: Missing Authentication for Critical Function •