CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3139 – Protect WP Admin < 4.0 - Unauthenticated Protection Bypass
https://notcve.org/view.php?id=CVE-2023-3139
The Protect WP Admin WordPress plugin before 4.0 discloses the URL of the admin panel via a redirection of a crafted URL, bypassing the protection offered. The Protect WP Admin plugin for WordPress is vulnerable to information disclosure in versions up to, and including, 3.8. This is due to a data leak when performing a redirect after processing a crafted request. This makes it possible for unauthenticated attackers to disclose the URL of the admin panel and bypass intended protections. • https://magos-securitas.com/txt/CVE-2023-3139.txt https://wpscan.com/vulnerability/f8a29aee-19cd-4e62-b829-afc9107f69bd • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24906 – Protect WP Admin < 3.6.2 - Unauthenticated Plugin Deactivation
https://notcve.org/view.php?id=CVE-2021-24906
The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin (and therefore the protection offered) via a crafted request El plugin Protect WP Admin de WordPress versiones anteriores a 3.6.2, no comprueba la autorización en el archivo lib/pwa-deactivate.php, lo que podría permitir a usuarios no autenticados deshabilitar el plugin (y por tanto la protección ofrecida) por medio de una petición diseñada The Protect WP Admin WordPress plugin before 3.7 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin (and therefore the protection offered) via a crafted request • https://wpscan.com/vulnerability/4204682b-f657-42e1-941c-bee7a245e9fd • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •