CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40192 – WordPress wpForo Forum plugin <= 2.0.9 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-40192
Cross-Site Request Forgery (CSRF) vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento wpForo Forum en WordPress en versiones <= 2.0.9. The wpForo Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the profile_cover_delete function. This makes it possible for unauthenticated attackers to delete forum users, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40200 – WordPress wpForo Forum plugin <= 2.0.9 - Auth. Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2022-40200
Auth. (subscriber+) Arbitrary File Upload vulnerability in wpForo Forum plugin <= 2.0.9 on WordPress. Vulnerabilidad de carga de archivos arbitrarios autenticada (con permisos de suscriptor o superiores) en el complemento wpForo Forum en WordPress en versiones <= 2.0.9. The wpForo Forum plugin for WordPress is vulnerable to arbitrary file uploads due to missing protections or file validations in versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with minimal permissions, to upload arbitrary files on the affected sites server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-9-arbitrary-file-upload-vulnerability?_s_id=cve https://wordpress.org/plugins/wpforo/#developers • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40206 – WordPress wpForo Forum plugin <= 2.0.5 - Insecure direct object references (IDOR) vulnerability
https://notcve.org/view.php?id=CVE-2022-40206
Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public. Vulnerabilidad de Referencias Inseguras a Objetos Directos (IDOR) en el complemento wpForo Forum de Wordpress en versiones <= 2.0.5 permite a atacantes con roles de suscriptor o de usuario superior marcar cualquier publicación en el foro como privada/pública. The wpForo Forum plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with subscriber-level access or higher, to mark any forum post as private/public. • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-5-insecure-direct-object-references-idor-vulnerability?_s_id=cve https://wordpress.org/plugins/wpforo • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43492 – WordPress Comments – wpDiscuz plugin 7.4.2 - Auth. Insecure Direct Object References (IDOR) vulnerability
https://notcve.org/view.php?id=CVE-2022-43492
Auth. (subscriber+) Insecure Direct Object References (IDOR) vulnerability in Comments – wpDiscuz plugin 7.4.2 on WordPress. Vulnerabilidad de Insecure Direct Object References (IDOR) autenticada (con permisos de suscriptor o superiores) en el complemento Comments wpDiscuz 7.4.2 en WordPress. The Comments – wpDiscuz plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 7.4.2. This is due to insufficient validation on the 'wmu_attachments' user-controlled key. • https://patchstack.com/database/vulnerability/wpdiscuz/wordpress-comments-wpdiscuz-plugin-7-4-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve https://wordpress.org/plugins/wpdiscuz/#developers • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40205 – WordPress wpForo Forum plugin <= 2.0.5 - Insecure direct object references (IDOR) vulnerability
https://notcve.org/view.php?id=CVE-2022-40205
Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as solved/unsolved. Vulnerabilidad de Referencias Inseguras a Objetos Directos (IDOR) en el complemento wpForo Forum de WordPress en versiones <= 2.0.5 permite a atacantes con roles de suscriptor o de usuario superior marcar cualquier publicación del foro como resuelta/no resuelta. The wpForo Forum plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with subscriber-level access or higher, to mark any forum post as solved/unsolved. • https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-5-insecure-direct-object-references-idor-vulnerability-2?_s_id=cve https://wordpress.org/plugins/wpforo • CWE-639: Authorization Bypass Through User-Controlled Key •