CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1994 – Google Authenticator < 1.0.8 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1994
The Login With OTP Over SMS, Email, WhatsApp and Google Authenticator WordPress plugin before 1.0.8 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed El plugin Login With OTP Over SMS, Email, WhatsApp and Google Authenticator de WordPress versiones anteriores a 1.0.8, no escapa a su configuración, permitiendo a usuarios con altos privilegios, como los administradores, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando unfiltered_html no está permitido • https://wpscan.com/vulnerability/114d94be-b567-4b4b-9a44-f2c05cdbe18e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0229 – miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion
https://notcve.org/view.php?id=CVE-2022-0229
The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable. El plugin Google Authenticator de miniOrange de WordPress versiones anteriores a 5.5, no presenta comprobaciones apropiadas de autorización y de tipo CSRF cuando maneja el reconfigureMethod, y no comprueba apropiadamente los parámetros que se le pasan. Como resultado, los usuarios no autenticados podrían eliminar opciones arbitrarias del blog, haciéndolo inusable • https://wpscan.com/vulnerability/d70c5335-4c01-448d-85fc-f8e75b104351 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •