CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23639 – WordPress MainWP Staging Extension Plugin <= 4.0.3 - Subscriber+ Arbitrary Plugin Activation Vulnerability
https://notcve.org/view.php?id=CVE-2023-23639
Missing Authorization vulnerability in MainWP MainWP Staging Extension.This issue affects MainWP Staging Extension: from n/a through 4.0.3. Vulnerabilidad de autorización faltante en MainWP MainWP Staging Extension. Este problema afecta a MainWP Staging Extension: desde n/a hasta 4.0.3. The MainWP Staging Extension plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 4.0.3, due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to activate arbitrary plugins. • https://patchstack.com/database/vulnerability/mainwp-staging-extension/wordpress-mainwp-staging-extension-plugin-4-0-3-subscriber-arbitrary-plugin-activation-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23655 – MainWP Code Snippets Extension <= 4.0.2 - Missing Authorization to Plugin Settings Change
https://notcve.org/view.php?id=CVE-2023-23655
The MainWP Code Snippets Extension plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 4.0.2 due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the plugin's settings. • CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23653 – MainWP File Uploader Extension <= 4.1 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2023-23653
The MainWP File Uploader Extension for WordPress is vulnerable to arbitrary file download. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary files from the affected site. • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23651 – WordPress MainWP Google Analytics Extension Plugin <= 4.0.4 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-23651
Auth. (subscriber+) SQL Injection (SQLi) vulnerability in MainWP Google Analytics Extension plugin <= 4.0.4 versions. Vulnerabilidad de inyección SQL (SQLi) autenticada (con permisos de suscriptor o superiores) en el complemento MainWP Google Analytics Extension en versiones <= 4.0.4. The MainWP Google Analytics Extension for WordPress are vulnerable to SQL Injection via an unknown parameter due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber level privileges or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/mainwp-google-analytics-extension/wordpress-mainwp-google-analytics-extension-plugin-4-0-4-subscriber-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23665 – MainWP Rocket Extension <= 4.0.3 - Missing Authorization to Plugin Settings Change
https://notcve.org/view.php?id=CVE-2023-23665
The MainWP Rocket Extension plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 4.0.3 due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the plugin's settings. • CWE-862: Missing Authorization •