CVE-2024-25902 – WordPress Malware Scanner Plugin <= 4.7.2 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2024-25902
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in miniorange Malware Scanner.This issue affects Malware Scanner: from n/a through 4.7.2. The Malware Scanner plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to, and including, 4.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/miniorange-malware-protection/wordpress-malware-scanner-plugin-4-7-2-admin-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-52176 – WordPress Malware Scanner plugin <= 4.7.1 - IP Restriction Bypass vulnerability
https://notcve.org/view.php?id=CVE-2023-52176
Authentication Bypass by Spoofing vulnerability in miniorange Malware Scanner allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Malware Scanner: from n/a through 4.7.1. La vulnerabilidad de omisión de autenticación mediante suplantación de identidad en miniorange Malware Scanner permite acceder a funciones que no están correctamente restringidas por las ACL. Este problema afecta a Malware Scanner: desde n/a hasta 4.7.1. The Malware Scanner plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 4.7.1 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass IP blocking functionality. • https://patchstack.com/database/vulnerability/miniorange-malware-protection/wordpress-malware-scanner-plugin-4-7-1-ip-restriction-bypass-vulnerability?_s_id=cve • CWE-290: Authentication Bypass by Spoofing CWE-693: Protection Mechanism Failure •
CVE-2023-47776 – miniorange otp verification <= 4.2.1 - Missing Authorization via dismiss_notice
https://notcve.org/view.php?id=CVE-2023-47776
The miniorange otp verification plugin for WordPress is vulnerable to unauthorized admin notice dismissal due to a missing capability check on the dismiss_notice function in versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices intended for admins. • CWE-862: Missing Authorization •
CVE-2023-47683 – WordPress Social Login, Social Sharing by miniOrange plugin <= 7.6.6 - Authenticated Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2023-47683
Improper Privilege Management vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Privilege Escalation.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through 7.6.6. Una vulnerabilidad de gestión de privilegios incorrecta en miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) permite la escalada de privilegios. Este problema afecta a miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): desde n/a hasta 7.6.6 . The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 7.6.6. This is due to the plugin improperly restricting user meta values that can be updated and allowing users to control a user role update during a social login through the custom registration form. • https://patchstack.com/database/vulnerability/miniorange-login-openid/wordpress-social-login-social-sharing-by-miniorange-plugin-7-6-6-authenticated-privilege-escalation-vulnerability?_s_id=cve • CWE-269: Improper Privilege Management •
CVE-2023-4505 – Staff / Employee Business Directory for Active Directory <= 1.2.3 - Authenticated (Admin+) LDAP Passback
https://notcve.org/view.php?id=CVE-2023-4505
The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server. El complemento Staff / Employee Business Directory para Active Directory para WordPress es vulnerable a LDAP Passback en versiones hasta la 1.2.3 inclusive. Esto se debe a una validación insuficiente al cambiar el servidor LDAP. • https://medium.com/%40cybertrinchera/cve-2023-4506-cve-2023-4505-ldap-passback-on-miniorange-plugins-ca7328c84313 https://wordpress.org/plugins/ldap-ad-staff-employee-directory-search https://www.wordfence.com/threat-intel/vulnerabilities/id/1ea40b96-4693-4f98-8e6e-2ed8186cedd8?source=cve • CWE-306: Missing Authentication for Critical Function •