CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4385 – WP Private Content Plus <= 3.1 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4385
The WP Private Content Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1. This is due to missing or incorrect nonce validation on the save_groups() function. This makes it possible for unauthenticated attackers to add new group members via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-15816 – WP Private Content Plus <= 1.31 - Unauthenticated Settings Change
https://notcve.org/view.php?id=CVE-2019-15816
The wp-private-content-plus plugin before 2.0 for WordPress has no protection against option changes via save_settings_page and other save_ functions. El plugin wp-private-content-plus anterior a la versión 2.0 para WordPress no tiene protección contra los cambios de opción a través save_settings_page and other save_ functions. • https://blog.nintechnet.com/unauthenticated-options-change-vulnerability-in-wordpress-wp-private-content-plus-plugin https://wordpress.org/plugins/wp-private-content-plus/#developers https://wpvulndb.com/vulnerabilities/9817 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •