CVE-2024-8369 – EventPrime <= 4.0.4.3 - Missing Authorization to Unauthenticated Private or Password-Protected Events Disclosure
https://notcve.org/view.php?id=CVE-2024-8369
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access to Private or Password-protected events due to missing authorization checks in all versions up to, and including, 4.0.4.3. This makes it possible for unauthenticated attackers to view private or password-protected events. El complemento EventPrime – Events Calendar, Bookings and Tickets para WordPress es vulnerable al acceso no autorizado a eventos privados o protegidos con contraseña debido a la falta de comprobaciones de autorización en todas las versiones hasta la 4.0.4.3 incluida. Esto permite que atacantes no autenticados vean eventos privados o protegidos con contraseña. • https://wordpress.org/plugins/eventprime-event-calendar-management https://www.wordfence.com/threat-intel/vulnerabilities/id/97174ec0-a2b7-455e-9bf8-b6f51546beee?source=cve • CWE-862: Missing Authorization •
CVE-2024-6410 – ProfileGrid <= 5.8.9 - Authenticated (Subscriber+) Insecure Direct Object Reference
https://notcve.org/view.php?id=CVE-2024-6410
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.8.9 via the 'pm_upload_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the profile picture of any user. El complemento ProfileGrid – User Profiles, Groups and Communities para WordPress para WordPress es vulnerable a la referencia directa a objetos inseguros en todas las versiones hasta la 5.8.9 incluida a través de la función 'pm_upload_image' debido a la falta de validación en una clave controlada por el usuario. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, cambien la imagen de perfil de cualquier usuario. • https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/js/profile-magic-admin-power.js#L361 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/js/profile-magic-admin-power.js#L390 https://plugins.trac.wordpress.org/changeset/3111609/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/crop.php https://www.wordfence.com/threat-intel/vulnerabilities/id/8679f4cd-2cb8-48ad-a531-a00c1b85ed2e?source=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2024-6411 – ProfileGrid – User Profiles, Groups and Communities <= 5.8.9 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-6411
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.8.9. This is due to a lack of validation on user-supplied data in the 'pm_upload_image' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their user capabilities to Administrator. El complemento ProfileGrid – User Profiles, Groups and Communities para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 5.8.9 incluida. Esto se debe a una falta de validación de los datos proporcionados por el usuario en la acción AJAX 'pm_upload_image'. • https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/js/profile-magic-admin-power.js#L361 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/js/profile-magic-admin-power.js#L390 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/coverimg_crop.php https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/crop • CWE-269: Improper Privilege Management •
CVE-2024-5453 – ProfileGrid <= 5.8.6 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-5453
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_dismissible_notice and pm_wizard_update_group_icon functions in all versions up to, and including, 5.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options to the value '1' or change group icons. El complemento ProfileGrid – User Profiles, Groups and Communities para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en las funciones pm_dismissible_notice y pm_wizard_update_group_icon en todas las versiones hasta la 5.8.6 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, cambien opciones arbitrarias al valor '1' o cambien íconos de grupo. • https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/admin/class-profile-magic-admin.php#L1378 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/admin/class-profile-magic-admin.php#L2006 https://plugins.trac.wordpress.org/changeset/3095503/profilegrid-user-profiles-groups-and-communities/trunk/admin/class-profile-magic-admin.php?contextall=1 https://www.wordfence.com/threat-intel/vulnerabilities/id/7a44d182-2a43-47c0-ab2e-36c0514c1d47?source • CWE-862: Missing Authorization •
CVE-2024-3606 – ProfileGrid – User Profiles, Memberships, Groups and Communities <= 5.8.3 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-3606
The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the pm_upload_cover_image function in all versions up to, and including, 5.8.3. This makes it possible for authenticated attackers, with subscriber access or higher, to delete attachments. El complemento ProfileGrid – User Profiles, Memberships, Groups and Communities para WordPress es vulnerable a la eliminación no autorizada de datos debido a una falta de verificación de capacidad en la función pm_upload_cover_image en todas las versiones hasta la 5.8.3 incluida. Esto hace posible que atacantes autenticados, con acceso de suscriptor o superior, eliminen archivos adjuntos. • https://plugins.trac.wordpress.org/changeset/3069928/profilegrid-user-profiles-groups-and-communities/trunk?contextall=1&old=3068943&old_path=%2Fprofilegrid-user-profiles-groups-and-communities%2Ftrunk https://www.wordfence.com/threat-intel/vulnerabilities/id/c039d2fe-7518-4724-a025-6380a53fb58c?source=cve • CWE-862: Missing Authorization •