CVSS: 10.0EPSS: 23%CPEs: 3EXPL: 13CVE-2024-10924 – Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2024-10924
14 Nov 2024 — The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default). • https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-exploit • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1894 – Burst Statistics – Privacy-Friendly Analytics for WordPress <= 1.5.6.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via burst_total_pageviews_count
https://notcve.org/view.php?id=CVE-2024-1894
12 Mar 2024 — The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'burst_total_pageviews_count' custom meta field in all versions up to, and including, 1.5.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected ... • https://plugins.trac.wordpress.org/browser/burst-statistics/trunk/class-frontend.php#L67 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1592 – Complianz – GDPR/CCPA Cookie Consent <= 6.5.6 - Cross-Site Request Forgery to Data Request Deletion
https://notcve.org/view.php?id=CVE-2024-1592
01 Mar 2024 — The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.6. This is due to missing or incorrect nonce validation on the process_delete function in class-DNSMPD.php. This makes it possible for unauthenticated attackers to delete GDPR data requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3041903%40complianz-gdpr&old=3009228%40complianz-gdpr&sfp_email=&sfph_mail= • CWE-352: Cross-Site Request Forgery (CSRF) •