CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10786 – Simple Local Avatars <= 2.7.11 - Missing Authorization to Authenticated (Subscriber+) User Cache Clearing
https://notcve.org/view.php?id=CVE-2024-10786
The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the sla_clear_user_cache function in all versions up to, and including, 2.7.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear user caches. • https://plugins.trac.wordpress.org/browser/simple-local-avatars/tags/2.7.11/includes/class-simple-local-avatars.php#L1374 https://plugins.trac.wordpress.org/changeset/3186674/simple-local-avatars/tags/2.8.0/includes/class-simple-local-avatars.php https://www.wordfence.com/threat-intel/vulnerabilities/id/e2619d50-e295-4e13-91d4-f998b8aa5be4?source=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43116 – WordPress Simple Local Avatars plugin <= 2.7.10 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-43116
Cross-Site Request Forgery (CSRF) vulnerability in 10up Simple Local Avatars.This issue affects Simple Local Avatars: from n/a through 2.7.10. The Simple Local Avatars plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.10. This is due to missing or incorrect nonce validation on the save_default_avatar_file_id() function. This makes it possible for unauthenticated attackers to set the default avatar file via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/simple-local-avatars/wordpress-simple-local-avatars-plugin-2-7-10-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •