CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-44587 – WordPress WP 2FA plugin <= 2.6.3 - Sensitive Data Exposure via Log File vulnerability
https://notcve.org/view.php?id=CVE-2022-44587
Insertion of Sensitive Information into Log File vulnerability in WP 2FA allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP 2FA: from n/a through 2.6.3. La vulnerabilidad de inserción de información confidencial en el archivo de registro en WP 2FA permite acceder a la funcionalidad no restringida adecuadamente por las ACL. Este problema afecta a WP 2FA: desde n/a hasta 2.6.3. The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.3 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. • https://patchstack.com/database/vulnerability/wp-2fa/wordpress-wp-2fa-plugin-2-6-3-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6520 – WP 2FA – Two-factor authentication for WordPress <= 2.5.0 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-6520
The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.0. This is due to missing or incorrect nonce validation on the send_backup_codes_email function. This makes it possible for unauthenticated attackers to send emails with arbitrary content to registered users via a forged request granted they can trick a site administrator or other registered user into performing an action such as clicking on a link. While a nonce check is present, it is only executed if a nonce is set. By omitting a nonce from the request, the check can be bypassed. • https://plugins.trac.wordpress.org/browser/wp-2fa/trunk/includes/classes/Admin/class-setup-wizard.php?rev=2940688#L606 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3009922%40wp-2fa&new=3009922%40wp-2fa&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/0af451be-2477-453c-a230-7f3fb804398b?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •