CVSS: 6.3EPSS: 0%CPEs: 425EXPL: 0CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve https://wpscan.com/vulnerability/6dae6dca-7474-4008-9fe5-4c62b9f12d0a https://freemius.com/blog/managing-security-issues-open-source-freemius-sdk-security-disclosure https://wpdirectory.net/search/01FWPVWA7BC5DYGZHNSZQ9QMN5 https://wpdirectory.net/search/01G02RSGMFS1TPT63FS16RWEYR https://web.archive.org/web/20220225174410/https%3A//www.pluginvulnerabilities.com/2022/02/25/our-security-review-of-wordpress-plugin-found-freemius-li • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24767 – Redirect 404 Error Page to Homepage or Custom Page with Logs < 1.7.9 - Log Deletion via CSRF
https://notcve.org/view.php?id=CVE-2021-24767
The Redirect 404 Error Page to Homepage or Custom Page with Logs WordPress plugin before 1.7.9 does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete them via a CSRF attack El plugin Redirect 404 Error Page to Homepage or Custom Page with Logs de WordPress versiones anteriores a 1.7.9, no comprueba la existencia de CSRF cuando se borran los registros, lo que podría permitir a un atacante hacer que un administrador conectado los borre por medio de un ataque de tipo CSRF • https://wpscan.com/vulnerability/0b35ad4a-3d94-49b1-a98d-07acf8dd4962 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2017-1000226 – Stop User Enumeration plugin <1.3.9 - User Enumeration
https://notcve.org/view.php?id=CVE-2017-1000226
Stop User Enumeration 1.3.8 allows user enumeration via the REST API Stop User Enumeration 1.3.8 permite la enumeración de usuarios mediante la API REST. The Stop User Enumeration plugin for WordPress is vulnerable to User Enumeration in versions up to, and including, 1.3.8. This is due to a flaw that was found in the REST API. This makes it possible for unauthenticated attackers to perform a POST request in the REST API allows simulating different request types. As such, attackers can perform a POST request with the “users” string in the body of the request, and tell the REST API to act like it’s received a GET request. • https://security.dxw.com/advisories/stop-user-enumeration-rest-api • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18536 – Stop User Enumeration <= 1.3.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-18536
The stop-user-enumeration plugin before 1.3.8 for WordPress has XSS. El plugin stop-user-enumeration versiones anteriores a 1.3.8 para WordPress, presenta una vulnerabilidad de tipo XSS. The Stop User Enumeration plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser. • https://wordpress.org/plugins/stop-user-enumeration/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •