CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23660 – WordPress MainWP Maintenance Extension Plugin <= 4.1.1 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-23660
Auth. (subscriber+) SQL Injection (SQLi) vulnerability in MainWP MainWP Maintenance Extension plugin <= 4.1.1 versions. The MainWP Maintenance Extension for WordPress are vulnerable to SQL Injection via an unknown parameter due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber level privileges or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/articles/multiple-vulnerabilities-affecting-mainwp-extensions?_s_id=cve https://patchstack.com/database/vulnerability/mainwp-maintenance-extension/wordpress-mainwp-maintenance-extension-plugin-4-1-1-subscriber-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23650 – WordPress MainWP Code Snippets Extension Plugin <= 4.0.2 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23650
Auth. (subscriber+) Stored Cross-Site Scripting (XSS) vulnerability in MainWP MainWP Code Snippets Extension plugin <= 4.0.2 versions. The MainWP Code Snippets Extension for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/mainwp-code-snippets-extension/wordpress-mainwp-code-snippets-extension-plugin-4-0-2-subscriber-stored-cross-site-scripting-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23746 – MainWP WordPress SEO Extension <= 4.0.1 - Missing Authorization to Arbitrary Plugin Activation
https://notcve.org/view.php?id=CVE-2023-23746
The MainWP WordPress SEO Extension plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 4.0.1, due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to activate arbitrary plugins. • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23640 – WordPress MainWP UpdraftPlus Extension Plugin <= 4.0.6 - Subscriber+ Arbitrary Plugin Activation Vulnerability
https://notcve.org/view.php?id=CVE-2023-23640
Missing Authorization vulnerability in MainWP MainWP UpdraftPlus Extension.This issue affects MainWP UpdraftPlus Extension: from n/a through 4.0.6. Vulnerabilidad de autorización faltante en MainWP MainWP UpdraftPlus Extension. Este problema afecta a MainWP UpdraftPlus Extension: desde n/a hasta 4.0.6. The MainWP UpdraftPlus Extension plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 4.0.6, due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to activate arbitrary plugins. • https://patchstack.com/database/vulnerability/mainwp-updraftplus-extension/wordpress-mainwp-updraftplus-extension-plugin-4-0-6-subscriber-arbitrary-plugin-activation-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23747 – MainWP Buddy Extension <= 4.0.1 - Missing Authorization to Arbitrary Plugin Activation
https://notcve.org/view.php?id=CVE-2023-23747
The MainWP Buddy Extension plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 4.0.1 due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to activate arbitrary plugins. • CWE-862: Missing Authorization •