CVE-2023-23643 – MainWP iThemes Security Extension <= 4.1.1 - Missing Authorization to Arbitrary Plugin Activation
https://notcve.org/view.php?id=CVE-2023-23643
The MainWP iThemes Security Extension plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 4.1.1 due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to activate arbitrary plugins. • CWE-862: Missing Authorization •
CVE-2020-36176 – iThemes Security <= 7.6.1 - Broken Password Mechanism
https://notcve.org/view.php?id=CVE-2020-36176
The iThemes Security (formerly Better WP Security) plugin before 7.7.0 for WordPress does not enforce a new-password requirement for an existing account until the second login occurs. El plugin iThemes Security (anteriormente Better WP Security) versiones anteriores a 7.7.0 para WordPress, no aplica el requisito de una nueva contraseña para una cuenta existente hasta que el segundo inicio de sesión ocurre • https://wordpress.org/plugins/better-wp-security/#developers • CWE-286: Incorrect User Management CWE-287: Improper Authentication •
CVE-2018-12636 – iThemes Security <= 7.0.2 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2018-12636
The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page. El plugin iThemes Security (better-wp-security) en versiones anteriores a la 7.0.3 para WordPress permite la inyección SQL (por atacantes con privilegios Admin) mediante la página de logs. WordPress iThemes Security plugin versions prior to 7.0.3 suffer from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/44943 https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E https://wordpress.org/plugins/better-wp-security/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-7433 – iThemes Security <= 6.9.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-7433
The iThemes Security plugin before 6.9.1 for WordPress does not properly perform data escaping for the logs page. El plugin iThemes Security, en versiones anteriores a la 6.9.1, para WordPress no realiza correctamente el escapado de datos para la página de logs. • https://wordpress.org/plugins/better-wp-security/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-532: Insertion of Sensitive Information into Log File •