CVE-2023-5714 – System Dashboard <= 2.8.7 - Missing Authorization to Information Disclosure (sd_db_specs)
https://notcve.org/view.php?id=CVE-2023-5714
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_db_specs() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve data key specs. El complemento System Dashboard para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de capacidad en la función sd_db_specs() conectada mediante una acción AJAX en todas las versiones hasta la 2.8.7 incluida. Esto hace posible que los atacantes autenticados, con acceso a nivel de suscriptor y superior, recuperen especificaciones de claves de datos. • https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.7/admin/class-system-dashboard-admin.php#L2942 https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.8/admin/class-system-dashboard-admin.php#L2949 https://www.wordfence.com/threat-intel/vulnerabilities/id/53b3ac83-847d-4bd0-a79b-531af266e1b4?source=cve • CWE-862: Missing Authorization •
CVE-2023-5772 – Debug Log Manager <= 2.2.0 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-5772
The Debug Log Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the clear_log() function. This makes it possible for unauthenticated attackers to clear the debug log via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Debug Log Manager para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 2.2.1 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función clear_log(). • https://plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.2.0/classes/class-debug-log.php#L822 https://plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.2.2/classes/class-debug-log.php#L828 https://www.wordfence.com/threat-intel/vulnerabilities/id/7e539549-1125-4b0e-aa3c-c8844041c23a?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-6136 – WordPress Debug Log Manager Plugin <= 2.3.0 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2023-6136
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Bowo Debug Log Manager.This issue affects Debug Log Manager: from n/a through 2.3.0. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en Bowo Debug Log Manager. Este problema afecta a Debug Log Manager: desde n/a hasta 2.3.0. The Debug Log Manager plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_log() function hooked via AJAX in all versions up to, and including, 2.2.1. This makes it possible for attackers, with subscriber-level access and above, to clear the debug logs. • https://patchstack.com/database/vulnerability/debug-log-manager/wordpress-debug-log-manager-plugin-2-2-0-sensitive-data-exposure-via-log-file-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •