CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-44587 – WordPress WP 2FA plugin <= 2.6.3 - Sensitive Data Exposure via Log File vulnerability
https://notcve.org/view.php?id=CVE-2022-44587
Insertion of Sensitive Information into Log File vulnerability in WP 2FA allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP 2FA: from n/a through 2.6.3. La vulnerabilidad de inserción de información confidencial en el archivo de registro en WP 2FA permite acceder a la funcionalidad no restringida adecuadamente por las ACL. Este problema afecta a WP 2FA: desde n/a hasta 2.6.3. The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.3 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. • https://patchstack.com/database/vulnerability/wp-2fa/wordpress-wp-2fa-plugin-2-6-3-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32568 – WordPress WP 2FA plugin <= 2.6.2 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-32568
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP 2FA allows Reflected XSS.This issue affects WP 2FA: from n/a through 2.6.2. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Cross-site Scripting') en Melapress WP 2FA permite el XSS reflejado. Este problema afecta a WP 2FA: desde n/a hasta 2.6.2. The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wp-2fa/wordpress-wp-2fa-plugin-2-6-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6506 – WP 2FA <= 2.5.0 - Insecure Direct Object Reference to Arbitrary Email Sending
https://notcve.org/view.php?id=CVE-2023-6506
The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site. El complemento WP 2FA – Two-factor authentication for WordPress para WordPress es vulnerable a la referencia directa a objetos inseguros en todas las versiones hasta la 2.5.0 incluida a través de send_backup_codes_email debido a la falta de validación en una clave controlada por el usuario. Esto hace posible que los atacantes a nivel de suscriptor envíen correos electrónicos a usuarios arbitrarios en el sitio. • https://plugins.trac.wordpress.org/browser/wp-2fa/trunk/includes/classes/Admin/class-setup-wizard.php?rev=2940688#L606 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3009922%40wp-2fa&new=3009922%40wp-2fa&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/caff9be6-4161-47a0-ba47-6c8fc0c4ab40?source=cve • CWE-639: Authorization Bypass Through User-Controlled Key CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6520 – WP 2FA – Two-factor authentication for WordPress <= 2.5.0 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-6520
The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.0. This is due to missing or incorrect nonce validation on the send_backup_codes_email function. This makes it possible for unauthenticated attackers to send emails with arbitrary content to registered users via a forged request granted they can trick a site administrator or other registered user into performing an action such as clicking on a link. While a nonce check is present, it is only executed if a nonce is set. By omitting a nonce from the request, the check can be bypassed. • https://plugins.trac.wordpress.org/browser/wp-2fa/trunk/includes/classes/Admin/class-setup-wizard.php?rev=2940688#L606 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3009922%40wp-2fa&new=3009922%40wp-2fa&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/0af451be-2477-453c-a230-7f3fb804398b?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-44595 – WordPress WP2FA plugin <= 2.2.0 - Broken Authentication vulnerability
https://notcve.org/view.php?id=CVE-2022-44595
Improper Authentication vulnerability in Melapress WP 2FA allows Authentication Bypass.This issue affects WP 2FA: from n/a through 2.2.0. Una vulnerabilidad de autenticación incorrecta en Melapress WP 2FA permite omitir la autenticación. Este problema afecta a WP 2FA: desde n/a hasta 2.2.0. The WP 2FA plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the login_form_validate_2fa function in versions up to, and including, 2.2.0. This makes it possible for authenticated attackers to receive a 2fa login code even if the provider is not enabled for that user. • https://patchstack.com/database/vulnerability/wp-2fa/wordpress-wp2fa-plugin-2-2-0-broken-authentication-vulnerability?_s_id=cve • CWE-287: Improper Authentication CWE-862: Missing Authorization •