2023-06-07
2023-06-07 02:15Z
HIGH

CVE-2020-36717 — Kaliforms Kali_forms: The Kali Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-36717

The Kali Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. This is due to incorrect nonce handling throughout the plugin's function. This makes it possible for unauthenticated attackers to access the plugin's administrative functions via forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 59th percentile

CWECWE 352VNDKaliformsVNDKaliTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-06-07
2023-06-07 02:15Z
CRIT

CVE-2020-36713 — Inspireui Mstore_api: The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-36713

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.1.5. This is due to unrestricted access to the 'register' and 'update_user_profile' routes. This makes it possible for unauthenticated attackers to create new administrator accounts, delete existing administrator accounts, or escalate privileges on any account. CVSSv3.1 9.8 (CRITICAL) · EPSS 76th percentile

CWECWE 288CWECWE 306VNDInspireuiVNDMstoreTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-06-07
2023-06-07 02:15Z
HIGH

CVE-2020-36712 — Kaliforms Kali_forms: The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-36712

The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 2.1.1. This is due to the kaliforms_form_delete_uploaded_file function lacking any privilege or user protections. This makes it possible for unauthenticated attackers to delete any site post or page with the id parameter. CVSSv3.1 8.6 (HIGH) · EPSS 55th percentile

CWECWE 862VNDKaliformsVNDKaliTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2023-06-07
2023-06-07 02:15Z
CRIT

CVE-2020-36708 — Colorlib Activello: The following themes for WordPress are vulnerable to Function Injections in versions up to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-36708

The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. Thi CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile

CWECWE 94VNDWordpressVNDColorlibTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-06-07
2023-06-07 02:15Z
HIGH

CVE-2020-36707 — Wpconcern Nifty_coming_soon_\&_maintenance_mode_page: The Coming Soon & Maintenance Mode Page plugin for WordPress is vulnerable to Cross-Site

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-36707

The Coming Soon & Maintenance Mode Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.57. This is due to confusing logic functions missing or having incorrect nonce validation. This makes it possible for unauthenticated attackers to gain and perform otherwise unauthorized access and actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 50th percentile

CWECWE 352VNDWpconcernVNDComingTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-06-07
2023-06-07 02:15Z
HIGH

CVE-2020-36701 — King-theme Page_builder_king_composer: The Page Builder: KingComposer plugin for WordPress is vulnerable to Arbitrary File Uploads in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-36701

The Page Builder: KingComposer plugin for WordPress is vulnerable to Arbitrary File Uploads in versions up to, and including, 2.9.3 via the 'process_bulk_action' function in the 'kingcomposer/includes/kc.extensions.php' file. This makes it possible for authenticated users with author level permissions and above to upload arbitrary files onto the server which can be used to execute code on the server. CVSSv3.1 8.8 (HIGH) · EPSS 83th percentile

CWECWE 434VNDKing ThemeVNDPageTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2023-06-07
2023-06-07 02:15Z
HIGH

CVE-2020-36700 — King-theme Page_builder_kingcomposer: The Page Builder: KingComposer plugin for WordPress is vulnerable to authorization bypass in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-36700

The Page Builder: KingComposer plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.9.3. This is due to a security nonce being leaked in the '/wp-admin/index.php' page. This makes it possible for authenticated attackers to change arbitrary WordPress options, delete arbitrary files/folders, and inject arbitrary content. CVSSv3.1 8.8 (HIGH) · EPSS 45th percentile

CWECWE 284VNDKing ThemeVNDPageTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2023-06-07
2023-06-07 02:15Z
HIGH

CVE-2019-25150 — Wpexperts Email_templates: The Email Templates plugin for WordPress is vulnerable to HTML Injection in versions up

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2019-25150

The Email Templates plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.3. This makes it possible for attackers to present phishing forms or conduct cross-site request forgery attacks against site administrators. CVSSv3.1 8.8 (HIGH) · EPSS 65th percentile

CWECWE 74VNDWpexpertsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-06-07
2023-06-07 02:15Z
HIGH

CVE-2019-25142 — Extendthemes Materialis: The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2019-25142

The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). This is due to 'companion_disable_popup' function only checking the nonce while sending user input to the 'update_option' function. This makes it possible for authenticated attackers to change otherwise restricted options. CVSSv3.1 8.8 (HIGH) · EPSS 69th percentile

CWECWE 862VNDExtendthemesVNDMesmerizeTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-06-07
2023-06-07 02:15Z
CRIT

CVE-2019-25141 — Wp-ecommerce Easy_wp_smtp: The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2019-25141

The Easy WP SMTP plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.3.9. This is due to missing capability checks on the admin_init() function, in addition to insufficient input validation. This makes it possible for unauthenticated attackers to modify the plugins settings and arbitrary options on the site that can be used to inject new administrative user accounts. CVSSv3.1 9.8 (CRITICAL) · EPSS 98th percentile

CWECWE 862VNDWp EcommerceVNDEasyTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-06-07
2023-06-07 02:15Z
CRIT

CVE-2019-25138 — Plugin-planet User_submitted_posts: The User Submitted Posts plugin for WordPress is vulnerable to arbitrary file uploads due

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2019-25138

The User Submitted Posts plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the usp_check_images function in versions up to, and including, 20190312. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. CVSSv3.1 9.8 (CRITICAL) · EPSS 90th percentile

CWECWE 434VNDPlugin PlanetTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-06-07
2023-06-07 02:15Z
CRIT

CVE-2016-15033 — Delete_all_comments_project Delete_all_comments: The Delete All Comments plugin for WordPress is vulnerable to arbitrary file uploads due

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2016-15033

The Delete All Comments plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the via the delete-all-comments.php file in versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. CVSSv3.1 9.8 (CRITICAL) · EPSS 90th percentile

CWECWE 434VNDDelete All Comments ProjectVNDDeleteTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-06-07
2023-06-07 01:15Z
HIGH

CVE-2023-33782 — Dlink Dir-842v2_firmware: D-Link DIR-842V2 v1.0.3 was discovered to contain a command injection vulnerability via the iperf3

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33782

D-Link DIR-842V2 v1.0.3 was discovered to contain a command injection vulnerability via the iperf3 diagnostics function. CVSSv3.1 8.8 (HIGH) · EPSS 99th percentile

CWECWE 77VNDDlinkVNDLinkTYPVulnerability
8.8
CVSS v3.1
100
Edit Score
2023-06-07
2023-06-07 01:15Z
HIGH

CVE-2023-33781 — Dlink Dir-842v2_firmware: An issue in D-Link DIR-842V2 v1.0.3 allows attackers to execute arbitrary commands via importing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33781

An issue in D-Link DIR-842V2 v1.0.3 allows attackers to execute arbitrary commands via importing a crafted file. CVSSv3.1 8.8 (HIGH) · EPSS 98th percentile

VNDDlinkVNDLinkTYPVulnerability
8.8
CVSS v3.1
100
Edit Score
2023-06-06
2023-06-06 14:15Z
CRIT

CVE-2023-33532 — Netgear R6250_firmware: There is a command injection vulnerability in the Netgear R6250 router with Firmware Version

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33532

There is a command injection vulnerability in the Netgear R6250 router with Firmware Version 1.0.4.48. If an attacker gains web management privileges, they can inject commands into the post request parameters, thereby gaining shell privileges. CVSSv3.1 9.8 (CRITICAL) · EPSS 97th percentile

CWECWE 77VNDNetgearVNDThereTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-06-06
2023-06-06 14:15Z
CRIT

CVE-2023-31569 — Totolink X5000r_firmware: X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection via the setWanCfg function.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-31569

TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain a command injection via the setWanCfg function. CVSSv3.1 9.8 (CRITICAL) · EPSS 86th percentile

CWECWE 77VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-06-06
2023-06-06 13:15Z
HIGH

CVE-2023-33530 — Tenda G103_firmware: There is a command injection vulnerability in the Tenda G103 Gigabit GPON Terminal with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33530

There is a command injection vulnerability in the Tenda G103 Gigabit GPON Terminal with firmware version V1.0.0.5. If an attacker gains web management privileges, they can inject commands gaining shell privileges. CVSSv3.1 8.8 (HIGH) · EPSS 70th percentile

CWECWE 77VNDTendaVNDThereTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-06-06
2023-06-06 12:15Z
HIGH

CVE-2023-33381 — Mitrastar Gpt-2741gnac_firmware: A command injection vulnerability was found in the ping functionality of the MitraStar GPT-2741GNAC

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33381

A command injection vulnerability was found in the ping functionality of the MitraStar GPT-2741GNAC router (firmware version AR_g5.8_110WVN0b7_2). The vulnerability allows an authenticated user to execute arbitrary OS commands by sending specially crafted input to the router via the ping function. CVSSv3.1 7.2 (HIGH) · EPSS 98th percentile

CWECWE 78VNDMitrastarTYPVulnerability
7.2
CVSS v3.1
94
Edit Score
2023-06-06
2023-06-06 10:15Z
HIGH

CVE-2023-2833 — Wpdeveloper Reviewx: The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2833

The ReviewX plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.13 due to insufficient restriction on the 'rx_set_screen_options' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_screen_options[option]' and 'wp_screen_options[value]' parameters during a screen option update. CVSSv3.1 8.8 (HIGH) · EPSS 96th percentile

CWECWE 269VNDWpdeveloperVNDReviewxTYPVulnerability
8.8
CVSS v3.1
100
Edit Score
2023-06-06
2023-06-06 02:15Z
HIGH

CVE-2023-2546 — Wp_user_switch_project Wp_user_switch: The WP User Switch plugin for WordPress is vulnerable to authentication bypass in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2546

The WP User Switch plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.2. This is due to incorrect authentication checking in the 'wpus_allow_user_to_admin_bar_menu' function with the 'wpus_who_switch' cookie value. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator, if they have access to the username. CVSSv3.1 8.8 (HIGH) · EPSS 85th percentile

CWECWE 288VNDWp User Switch ProjectTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2023-06-03
2023-06-03 00:15Z
HIGH

CVE-2023-2781 — Wisetr User_email_verification_for_woocommerce: The User Email Verification for WooCommerce plugin for WordPress is vulnerable to authentication bypass

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2781

The User Email Verification for WooCommerce plugin for WordPress is vulnerable to authentication bypass via authenticate_user_by_email in versions up to, and including, 3.5.0. This is due to a random token generation weakness in the resend_verification_email function. This allows unauthenticated attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, includ CVSSv3.1 8.1 (HIGH) · EPSS 64th percentile

CWECWE 288CWECWE 306VNDWisetrTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2023-06-02
2023-06-02 08:15Z
CRIT

CVE-2023-3000 — Erikogluteknoloji Energy_monitoring: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3000

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Erikoglu Technology ErMon allows Command Line Execution through SQL Injection, Authentication Bypass.This issue affects ErMon: before 230602. CVSSv3.1 9.8 (CRITICAL) · EPSS 7th percentile

CWECWE 89VNDErikogluteknolojiTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-06-02
2023-06-02 04:15Z
HIGH

CVE-2023-2201 — Salephpscripts Web_directory_free: The Web Directory Free for WordPress is vulnerable to SQL Injection via the ‘post_id’

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2201

The Web Directory Free for WordPress is vulnerable to SQL Injection via the ‘post_id’ parameter in versions up to, and including, 1.6.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. CVSSv3.1 8.8 (HIGH) · EPSS 59th percentile

CWECWE 89VNDSalephpscriptsVNDWebTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-05-31
2023-05-31 03:15Z
CRIT

CVE-2023-2987 — Wordapp Wordapp: The Wordapp plugin for WordPress is vulnerable to authorization bypass due to an use

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2987

The Wordapp plugin for WordPress is vulnerable to authorization bypass due to an use of insufficiently unique cryptographic signature on the 'wa_pdx_op_config_set' function in versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to the plugin to change the 'validation_token' in the plugin config, providing access to the plugin's remote control functionalities, such as creating an admin access URL, which can be used for privilege escalatio CVSSv3.1 9.8 (CRITICAL) · EPSS 39th percentile

CWECWE 345VNDWordappTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-05-26
2023-05-26 17:15Z
HIGH

CVE-2023-33779 — Xuxueli Xxl-job: A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary commands

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33779

A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows users to execute arbitrary commands on another user's account via a crafted POST request to the component /jobinfo/. CVSSv3.1 8.8 (HIGH) · EPSS 62th percentile

CWECWE 863VNDXuxueliTYPVulnerability
8.8
CVSS v3.1
94
Edit Score