CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3342 – User Registration <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-3342
The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the 'ur_upload_profile_pic' function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1. El plugin User Registration para WordPress es vulnerable a la carga de archivos arbitrarios debido a una clave de cifrado codificada y a la falta de validación del tipo de archivo en la función "ur_upload_profile_pic" en las versiones hasta la 3.0.2 inclusive. Esto hace posible que atacantes autenticados con capacidades de nivel suscriptor o superior carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede posibilitar la ejecución remota de código. • http://packetstormsecurity.com/files/173434/WordPress-User-Registration-3.0.2-Arbitrary-File-Upload.html https://lana.codes/lanavdb/c0a58dff-7a5b-4cc0-82d6-2255e61d801c https://plugins.trac.wordpress.org/browser/user-registration/tags/3.0.1/includes/functions-ur-core.php#L3156 https://plugins.trac.wordpress.org/changeset/2933689/user-registration/trunk/includes/functions-ur-core.php https://www.wordfence.com/threat-intel/vulnerabilities/id/a979e885-f7dd-4616-a881-64f3d97c309d?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3343 – User Registration <= 3.0.1 - Authenticated (Subscriber+) PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-3343
The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. El plugin User Registration para WordPress es vulnerable a la inyección de objetos PHP en versiones hasta la 3.0.1 inclusive a través de la deserialización de la entrada no fiable del parámetro "profile-pic-url". • https://plugins.trac.wordpress.org/browser/user-registration/tags/3.0.1/includes/functions-ur-core.php#L3156 https://plugins.trac.wordpress.org/changeset/2932199/user-registration/trunk/includes/functions-ur-core.php#file0 https://www.wordfence.com/threat-intel/vulnerabilities/id/3590277a-3319-4707-b728-d75ea59e8ad9?source=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23987 – WordPress User Registration Plugin <= 2.3.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23987
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPEverest User Registration plugin <= 2.3.0 versions. The User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via field settings in versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrative-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/user-registration/wordpress-user-registration-custom-registration-form-login-form-and-user-profile-for-wordpress-plugin-2-3-0-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3912 – User Registration < 2.2.4.1 - Subscriber+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-3912
The User Registration WordPress plugin before 2.2.4.1 does not properly restrict the files to be uploaded via an AJAX action available to both unauthenticated and authenticated users, which could allow unauthenticated users to upload PHP files for example. El complemento User Registration de WordPress anterior a 2.2.4.1 no restringe adecuadamente los archivos que se cargarán mediante una acción AJAX disponible para usuarios autenticados y no autenticados, lo que podría permitir a los usuarios no autenticados cargar archivos PHP, por ejemplo. The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the profile_pic_upload function in versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with subscriber access or higher, to upload arbitrary files on the affected sites server which may make remote code execution possible. • https://wpscan.com/vulnerability/968c677c-1beb-459b-8fd1-7f70bcaa4f74 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24654 – User Registration < 2.0.2 - Low Privilege Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24654
The User Registration WordPress plugin before 2.0.2 does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed El plugin User Registration de WordPress versiones anteriores a 2.0.2 no sanea correctamente el valor user_registration_profile_pic_url cuando se envía directamente por medio de la acción user_registration_update_profile_details AJAX. Esto podría permitir a cualquier usuario autenticado, como el suscriptor, llevar a cabo ataques de tipo Cross-Site Almacenados cuando es visualizado su perfil • https://wpscan.com/vulnerability/5c7a9473-d32e-47d6-9f8e-15b96fe758f2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •