CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23710 – WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.5.14 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23710
15 Feb 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.5.14 versions. The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 7.5.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrative-... • https://patchstack.com/database/vulnerability/miniorange-login-openid/wordpress-wordpress-social-login-and-register-discord-google-twitter-linkedin-plugin-7-5-14-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1093 – OAuth Single Sign On - SSO (OAuth Client) < 6.24.2 - IdP Discard via CSRF
https://notcve.org/view.php?id=CVE-2023-1093
15 Feb 2023 — The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.24.1. This is due to missing or incorrect nonce validation on the 'discard' case in the mooauth_client_applist_page function. This makes it possible for un... • https://wpscan.com/vulnerability/1e13b9ea-a3ef-483b-b967-6ec14bd6d54d • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25455 – WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.6.0 - Arbitrary Content Deletion vulnerability
https://notcve.org/view.php?id=CVE-2023-25455
13 Feb 2023 — Missing Authorization vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through 7.6.0. The WordPress Social Login and Register plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 7.6.0. This is due to a missing capability check on the 'mo_openid... • https://patchstack.com/database/wordpress/plugin/miniorange-login-openid/vulnerability/wordpress-wordpress-social-login-and-register-discord-google-twitter-linkedin-plugin-7-6-0-arbitrary-content-deletion-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23749 – Extension - miniorange - LDAP Integration - LDAP Injection (username)
https://notcve.org/view.php?id=CVE-2023-23749
17 Jan 2023 — The 'LDAP Integration with Active Directory and OpenLDAP - NTLM & Kerberos Login' extension is vulnerable to LDAP Injection since is not properly sanitizing the 'username' POST parameter. An attacker can manipulate this paramter to dump arbitrary contents form the LDAP Database. La extension 'LDAP Integration with Active Directory and OpenLDAP - NTLM & Kerberos Login' es vulnerable a la inyección LDAP ya que no sanitiza adecuadamente el parámetro POST 'username'. Un atacante puede manipular este parámet... • https://extensions.joomla.org/vulnerable-extensions/resolved/ldap-integration-with-active-directory-and-openldap-ntlm-kerberos-login-5-0-2-other • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 3CVE-2022-4496 – miniOrange WordPress SAML SSO multiple versions - Open Redirect in SSO login
https://notcve.org/view.php?id=CVE-2022-4496
06 Jan 2023 — The SAML SSO Standard WordPress plugin version 16.0.0 before 16.0.8, SAML SSO Premium WordPress plugin version 12.0.0 before 12.1.0 and SAML SSO Premium Multisite WordPress plugin version 20.0.0 before 20.0.7 does not validate that the redirect parameter to its SSO login endpoint points to an internal site URL, making it vulnerable to an Open Redirect issue when the user is already logged in. The SSO Login Premium Multisite plugin for WordPress is vulnerable to Open Redirect in versions up to, and including... • https://wpscan.com/vulnerability/af2e30c7-0787-4fe2-97ee-bc616f7178a1 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4200 – Login with Cognito <= 1.4.8 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-4200
07 Dec 2022 — The Login with Cognito WordPress plugin through 1.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). El complemento Login with Cognito de WordPress hasta la versión 1.4.8 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con privilegios elevados, como el administrador, realizar ... • https://wpscan.com/vulnerability/ac2e3fea-e1e6-4d90-9945-d8434a00a3cf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-44589 – WordPress miniOrange's Google Authenticator Plugin <= 5.6.1 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2022-44589
23 Nov 2022 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login.This issue affects miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login: from n/a through 5.6.1. Vulnerabilidad de exposición de información confidencial a un actor no autorizado en miniOrange miniOrange's Google Aut... • https://patchstack.com/database/vulnerability/miniorange-2-factor-authentication/wordpress-miniorange-two-factor-authentication-plugin-5-6-1-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45073 – WordPress REST API Authentication plugin <= 2.4.0 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-45073
09 Nov 2022 — Cross-Site Request Forgery (CSRF) vulnerability in REST API Authentication plugin <= 2.4.0 on WordPress. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento REST API Authentication en WordPress en versiones <= 2.4.0. The WordPress REST API Authentication plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.0. This is due to missing or incorrect nonce validation on the 'save_temporary_data' function. This makes it possible for unauthentic... • https://patchstack.com/database/vulnerability/wp-rest-api-authentication/wordpress-rest-api-authentication-plugin-2-4-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-42461 – WordPress miniOrange's Google Authenticator plugin <= 5.6.1 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2022-42461
31 Oct 2022 — Broken Access Control vulnerability in miniOrange's Google Authenticator plugin <= 5.6.1 on WordPress. Vulnerabilidad de control de acceso roto en el complemento miniOrange's Google Authenticator de WordPress en versiones <= 5.6.1. The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.1. This makes it possible for authenticated attackers, with subscriber-level p... • https://patchstack.com/database/vulnerability/miniorange-2-factor-authentication/wordpress-miniorange-s-google-authenticator-plugin-5-6-1-broken-access-control-vulnerability?_s_id=cve • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24375 – WordPress WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.5.14 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-24375
23 Sep 2022 — Missing Authorization vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through 7.5.14. The WordPress Social Login and Register plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the mo_sharing_app_value function as well as others that are re... • https://patchstack.com/database/wordpress/plugin/miniorange-login-openid/vulnerability/wordpress-wordpress-social-login-and-register-discord-google-twitter-linkedin-plugin-7-5-14-broken-access-control?_s_id=cve • CWE-862: Missing Authorization •