CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5551 – WP STAGING PRO - Backup Duplicator & Migration <= 5.6.0 - Cross-Site Request Forgery to Limited Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-5551
13 Jun 2024 — The WP STAGING Pro WordPress Backup Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the 'sub' parameter called from the WP STAGING WordPress Backup Plugin - Backup Duplicator & Migration plugin. This makes it possible for unauthenticated attackers to include any local files that end in '-settings.php' via a forged request granted they can trick a site administrator into performing an ... • https://plugins.trac.wordpress.org/browser/wp-staging/trunk/Backend/views/settings/tabs/remote-storages.php#L14 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2024-3682 – WP STAGING <= 3.4.3 and WP STAGING Pro <= 5.4.3 - Sensitive Information Exposure via Log File
https://notcve.org/view.php?id=CVE-2024-3682
25 Apr 2024 — The WP STAGING and WP STAGING Pro plugins for WordPress are vulnerable to Sensitive Information Exposure in versions up to, and including, 3.4.3, and versions up to, and including, 5.4.3, respectively, via the ajaxSendReport function. This makes it possible for unauthenticated attackers to extract sensitive data from a log file, including system information and (in the Pro version) license keys. Successful exploitation requires an administrator to have used the 'Contact Us' functionality along with the "Ena... • https://github.com/IvanGlinkin/CVE-2024-36821 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •