CVE-2023-5712 – System Dashboard <= 2.8.7 - Missing Authorization to Information Disclosure (sd_global_value)
https://notcve.org/view.php?id=CVE-2023-5712
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_global_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. • https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.7/admin/class-system-dashboard-admin.php#L7382 https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.8/admin/class-system-dashboard-admin.php#L7403 https://www.wordfence.com/threat-intel/vulnerabilities/id/70f14d9d-6ed6-4bcb-944d-f9c5aa6a17a6?source=cve • CWE-862: Missing Authorization •
CVE-2023-6113 – WP Staging (Free < 3.1.3, Pro < 5.1.3) - Unauthenticated Backup Download
https://notcve.org/view.php?id=CVE-2023-6113
This makes it possible for unauthenticated attackers to extract sensitive data such as the key which enables them to download the backups later. • https://research.cleantalk.org/cve-2023-6113-wp-staging-unauth-sensitive-data-exposure-to-account-takeover-poc-exploit https://wpscan.com/vulnerability/5a71049a-09a6-40ab-a4e8-44634869d4fb • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-5710 – System Dashboard <= 2.8.7 - Missing Authorization to Information Disclosure (sd_constants)
https://notcve.org/view.php?id=CVE-2023-5710
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_constants() function hooked via an AJAX action in all versions up to, and including, 2.8.7. • https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.7/admin/class-system-dashboard-admin.php#L7930 https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.8/admin/class-system-dashboard-admin.php#L7951 https://www.wordfence.com/threat-intel/vulnerabilities/id/f170379e-e833-42e0-96fd-1e1722a8331c?source=cve • CWE-862: Missing Authorization •
CVE-2023-5714 – System Dashboard <= 2.8.7 - Missing Authorization to Information Disclosure (sd_db_specs)
https://notcve.org/view.php?id=CVE-2023-5714
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_db_specs() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve data key specs. • https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.7/admin/class-system-dashboard-admin.php#L2942 https://plugins.trac.wordpress.org/browser/system-dashboard/tags/2.8.8/admin/class-system-dashboard-admin.php#L2949 https://www.wordfence.com/threat-intel/vulnerabilities/id/53b3ac83-847d-4bd0-a79b-531af266e1b4?source=cve • CWE-862: Missing Authorization •
CVE-2023-44297
https://notcve.org/view.php?id=CVE-2023-44297
An unauthenticated physical attacker could potentially exploit this vulnerability, leading to information disclosure, information tampering, code execution, denial of service. • https://www.dell.com/support/kbdoc/en-us/000220047/dsa-2023-429-security-update-for-dell-16g-poweredge-server-bios-for-a-debug-code-security-vulnerability • CWE-667: Improper Locking CWE-1234: Hardware Internal or Debug Modes Allow Override of Locks •