CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2842 – WP Inventory Manager < 2.1.0.14 - Inventory Items Deletion via CSRF
https://notcve.org/view.php?id=CVE-2023-2842
05 Jun 2023 — The WP Inventory Manager WordPress plugin before 2.1.0.14 does not have CSRF checks, which could allow attackers to make logged-in admins delete Inventory Items via a CSRF attack The WP Inventory Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.0.13. This is due to missing or incorrect nonce validation on the delete_item function. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request granted the... • https://wpscan.com/vulnerability/0357ecc7-56f5-4843-a928-bf2d3ce75596 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34002 – WordPress WP Inventory Manager Plugin <= 2.1.0.13 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-34002
02 Jun 2023 — Cross-Site Request Forgery (CSRF) vulnerability in WP Inventory Manager plugin <= 2.1.0.13 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento WP Inventory Manager en versiones <= 2.1.0.13. The WP Inventory Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.0.13. This is due to missing or incorrect nonce validation on the delete_item function. This makes it possible for unauthenticated attackers to perform unauthorize... • https://patchstack.com/database/vulnerability/wp-inventory-manager/wordpress-wp-inventory-manager-plugin-2-1-0-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 3CVE-2023-2123 – WP Inventory Manager < 2.1.0.13 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-2123
26 Apr 2023 — The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. The WP Inventory Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘message’ parameter in versions up to, and including, 2.1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execu... • https://github.com/0xn4d/poc-cve-xss-encoded-wp-inventory-manager-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1806 – WP Inventory Manager < 2.1.0.12 - Reflected XSS
https://notcve.org/view.php?id=CVE-2023-1806
12 Apr 2023 — The WP Inventory Manager WordPress plugin before 2.1.0.12 does not sanitise and escape the message parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrators. The WP Inventory Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘message’ parameter in versions up to, and including, 2.1.0.11 due to insufficient input sanitization and output escaping. This makes it possible... • https://wpscan.com/vulnerability/38d99c7d-2d10-4910-b95a-1cb545b813c4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •