CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43117 – WordPress Hummingbird plugin <= 3.9.1 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-43117
Cross-Site Request Forgery (CSRF) vulnerability in WPMU DEV Hummingbird.This issue affects Hummingbird: from n/a through 3.9.1. The Hummingbird plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.9.1. This is due to missing or incorrect nonce validation on the on_load and maybe_clear_all_cache functions. This makes it possible for unauthenticated attackers to update settings and clear cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/hummingbird-performance/wordpress-hummingbird-plugin-3-9-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43118 – Hummingbird <= 3.9.1 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-43118
The Hummingbird plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clear_module_cache() function in versions up to, and including, 3.9.1. This makes it possible for authenticated attackers, with contributor-level access and above, to clear module cache. • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32792 – WordPress Hummingbird plugin <= 3.7.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-32792
Missing Authorization vulnerability in WPMU DEV Hummingbird.This issue affects Hummingbird: from n/a through 3.7.3. Vulnerabilidad de autorización faltante en WPMU DEV Hummingbird. Este problema afecta a Hummingbird: desde n/a hasta 3.7.3. The Hummingbird plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /admin/class-ajax.php file in versions up to, and including, 3.7.3. This makes it possible for unauthenticated attackers to perform unauthorized actions like clearing cache. • https://patchstack.com/database/vulnerability/hummingbird-performance/wordpress-hummingbird-plugin-3-7-3-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 17%CPEs: 6EXPL: 2CVE-2008-4729 – Hummingbird 13.0 - ActiveX Remote Buffer Overflow (PoC)
https://notcve.org/view.php?id=CVE-2008-4729
Stack-based buffer overflow in Hummingbird.XWebHostCtrl.1 ActiveX control (hclxweb.dll) in Hummingbird Xweb ActiveX Control 13.0 and earlier allows remote attackers to execute arbitrary code via a long PlainTextPassword property. NOTE: code execution might not be possible in 13.0. Desbordamiento de búfer basado en la pila en el control ActiveX de Hummingbird.XWebHostCtrl.1(hclxweb.dll) en Hummingbird Xweb ActiveX Control v13.0 y anteriores que permite a atacantes remotos ejecutar código de su elección a traves de la propiedad PlanTextPassword. NOTA: La ejecución de código podria no ser posible en la v13.0. • https://www.exploit-db.com/exploits/6761 http://secunia.com/advisories/32319 http://securityreason.com/securityalert/4505 http://www.securityfocus.com/bid/31783 https://exchange.xforce.ibmcloud.com/vulnerabilities/45941 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.3EPSS: 47%CPEs: 1EXPL: 6CVE-2008-4728 – Hummingbird Deployment Wizard 2008 - ActiveX Command Execution
https://notcve.org/view.php?id=CVE-2008-4728
Multiple insecure method vulnerabilities in the DeployRun.DeploymentSetup.1 (DeployRun.dll) ActiveX control 10.0.0.44 in Hummingbird Deployment Wizard 2008 allow remote attackers to execute arbitrary programs via the (1) Run and (2) PerformUpdateAsync methods, and (3) modify arbitrary registry values via the SetRegistryValueAsString method. NOTE: the SetRegistryValueAsString method could be leveraged for code execution by specifying executable file values to Startup folders. Múltiples vulnerabilidades debido a un procedimiento inseguro en el control ActiveX DeployRun.DeploymentSetup.1 (DeployRun.dll) v10.0.0.44 in Hummingbird Deployment Wizard 2008 que permite a atacantes remotos ejecutar programas a su elección a través de los métodos de (1) Run y (2) PerformUpdateAsync y (3) modificación arbitraria de los valores del registro a traves del metodo SetRegistryValueAsString. NOTA: El método SetRegistryValueAsString podria activar la ejecución de código especificando valores de ficheros ejecutables de las carpetas de inicio. • https://www.exploit-db.com/exploits/6773 https://www.exploit-db.com/exploits/6776 https://www.exploit-db.com/exploits/6774 http://secunia.com/advisories/32337 http://www.securityfocus.com/bid/31799 http://www.shinnai.net/xplits/TXT_2XfQ1sHruhjaoePszNTG.html http://www.shinnai.net/xplits/TXT_JqLchaIAfq4kSH0NsvJO.html http://www.shinnai.net/xplits/TXT_L0z0Mimixdsko8kI6VFW.html http://www.vupen.com/english/advisories/2008/2857 https://exchange.xforce.ibmcloud.com/vulnerabilities/45961 •