CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46623 – WordPress WP EXtra Plugin <= 6.2 is vulnerable to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2023-46623
Improper Control of Generation of Code ('Code Injection') vulnerability in TienCOP WP EXtra.This issue affects WP EXtra: from n/a through 6.2. Vulnerabilidad de control inadecuado de generación de código ("inyección de código") en TienCOP WP EXtra. Este problema afecta a WP EXtra: desde n/a hasta 6.2. • https://patchstack.com/database/vulnerability/wp-extra/wordpress-wp-extra-plugin-6-2-remote-code-execution-rce-via-htaccess-modification-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47825 – WordPress WP EXtra Plugin <= 6.4 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-47825
Cross-Site Request Forgery (CSRF) vulnerability in TienCOP WP EXtra plugin <= 6.4 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento TienCOP WP EXtra en versiones <= 6.4. The WP EXtra plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.4. This is due to missing or incorrect nonce validation on the ToolImport function. This makes it possible for unauthenticated attackers to change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wp-extra/wordpress-wp-extra-plugin-6-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5314 – WP EXtra <= 6.2 - Missing Authorization to Arbitrary Email Sending
https://notcve.org/view.php?id=CVE-2023-5314
The WP EXtra plugin for WordPress is vulnerable to unauthorized access to restricted functionality due to a missing capability check on the 'test-email' section of the register() function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to send emails with arbitrary content to arbitrary locations from the affected site's mail server. El complemento WP EXtra para WordPress es vulnerable al acceso no autorizado a funciones restringidas debido a una falta de verificación de capacidad en la sección 'test-email' de la función de registro() en versiones hasta la 6.2 incluida. Esto hace posible que atacantes autenticados, con permisos mínimos, como un suscriptor, envíen correos electrónicos con contenido arbitrario a ubicaciones arbitrarias desde el servidor de correo del sitio afectado. • https://plugins.trac.wordpress.org/changeset/2977703/wp-extra https://www.wordfence.com/threat-intel/vulnerabilities/id/93c10a58-c5f2-440b-a88e-5314143fdd90?source=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5311 – WP EXtra <= 6.2 - Missing Authorization to .htaccess File Modification
https://notcve.org/view.php?id=CVE-2023-5311
The WP EXtra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register() function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the contents of the .htaccess files located in a site's root directory or /wp-content and /wp-includes folders and achieve remote code execution. El complemento WP EXtra para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función de registro() en versiones hasta la 6.2 incluida. Esto hace posible que atacantes autenticados, con permisos de nivel de suscriptor y superiores, modifiquen el contenido de los archivos .htaccess ubicados en el directorio raíz de un sitio o en las carpetas /wp-content y /wp-includes y logren la ejecución remota de código. The WP EXtra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register() function in versions up to, and including, 6.2. • https://giongfnef.gitbook.io/giongfnef/cve/cve-2023-5311 https://plugins.trac.wordpress.org/changeset/2977703/wp-extra https://www.wordfence.com/threat-intel/vulnerabilities/id/87e3dd5e-0d77-4d78-8171-0beaf9482699?source=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46212 – WordPress WP EXtra Plugin <= 6.2 is vulnerable to Broken Access Control
https://notcve.org/view.php?id=CVE-2023-46212
Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in TienCOP WP EXtra allows Accessing Functionality Not Properly Constrained by ACLs, Cross Site Request Forgery.This issue affects WP EXtra: from n/a through 6.2. Autorización faltante, vulnerabilidad de Cross-Site Request Forgery (CSRF) en TienCOP WP EXtra permite acceder a la funcionalidad no restringida adecuadamente por las ACL, Cross-Site Request Forgery. Este problema afecta a WP EXtra: desde n/a hasta 6.2. The WP EXtra plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the register() function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to export plugin settings. • https://patchstack.com/database/vulnerability/wp-extra/wordpress-wp-extra-plugin-6-2-broken-access-control-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •