CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3082 – miniOrange Discord Integration < 2.1.6 - Subscriber+ App Disabling
https://notcve.org/view.php?id=CVE-2022-3082
22 Sep 2022 — The miniOrange Discord Integration WordPress plugin before 2.1.6 does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example El plugin miniOrange Discord Integration de WordPress versiones anteriores a 2.1.6, no presenta autorización y de tipo CSRF en algunas de sus acciones AJAX, lo que permite a cualquier usuario con sesión iniciada, como el suscriptor, llamar y deshabilitar la aplicación, por ejemplo The ... • https://wpscan.com/vulnerability/a91d0501-c2a9-4c6c-b5da-b3fc29442a4f • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34149 – WordPress WP OAuth Server plugin <= 3.0.4 - Authentication Bypass vulnerability
https://notcve.org/view.php?id=CVE-2022-34149
02 Aug 2022 — Authentication Bypass vulnerability in miniOrange WP OAuth Server plugin <= 3.0.4 at WordPress. Una vulnerabilidad de Omisión de Autenticación en el plugin miniOrange WP OAuth Server versiones anteriores a 3.0.4 incluyéndola, en WordPress. The plugin WP OAuth Server for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0.4. This makes it possible for attackers to gain administrative access to affected sites. • https://lana.codes/lanavdb/6d794d65-d44b-4099-94c5-3dd2995b218c?_s_id=cve • CWE-264: Permissions, Privileges, and Access Controls CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2133 – OAuth Single Sign On < 6.22.6 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2022-2133
27 Jun 2022 — The OAuth Single Sign On WordPress plugin before 6.22.6 doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address. El plugin OAuth Single Sign On de WordPress versiones anteriores a 6.22.6, no comprueba que las peticiones de token de acceso OAuth sean legítimas, lo que permite a atacantes entrar en el sitio con el único conocimiento de la dirección de correo electrónico de un usuario • https://wpscan.com/vulnerability/e76939ca-180f-4472-a26a-e0c36cfd32de • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34858 – WordPress OAuth 2.0 client for SSO plugin <= 1.11.3 - Authentication Bypass vulnerability
https://notcve.org/view.php?id=CVE-2022-34858
23 Jun 2022 — Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress. Una vulnerabilidad de elusión de autenticación en el cliente miniOrange Oauth versión 2.0 para el plugin SSO versiones anteriores a 1.11.3 incluyéndola, en WordPress. The OAuth 2.0 client for SSO plugin for WordPress is vulnerable to authentication bypass in versions up to, and including 1.11.3. This is due to the plugin accepting a user supplied email address that is passed to wp_set_auth_cookie() with... • https://lana.codes/lanavdb/df23b19f-4134-41d3-8cb3-9d44189b461b?_s_id=cve • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1029 – Limit Login Attempts < 4.0.72 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1029
06 Jun 2022 — The Limit Login Attempts WordPress plugin before 4.0.72 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) El plugin Limit Login Attempts de WordPress versiones anteriores a 4.0.72, no sanea ni escapa de algunos de sus ajustes, lo que conlleva a que usuarios maliciosos con privilegios de administrador almacenen... • https://wpscan.com/vulnerability/0e74eeb4-89e2-4873-904f-ad4f25c4a8ba • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1994 – Google Authenticator < 1.0.8 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1994
06 Jun 2022 — The Login With OTP Over SMS, Email, WhatsApp and Google Authenticator WordPress plugin before 1.0.8 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed El plugin Login With OTP Over SMS, Email, WhatsApp and Google Authenticator de WordPress versiones anteriores a 1.0.8, no escapa a su configuración, permitiendo a usuarios con altos privilegios, como los administradores, llevar a cabo ataques de tipo Cro... • https://wpscan.com/vulnerability/114d94be-b567-4b4b-9a44-f2c05cdbe18e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1028 – WordPress Security < 4.2.1 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1028
06 Jun 2022 — The WordPress Security Firewall, Malware Scanner, Secure Login and Backup plugin before 4.2.1 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) El plugin Security Firewall, Malware Scanner, Secure Login y Backup de WordPress versiones anteriores a 4.2.1, no sanea y escapa de algunas de sus configuraciones, lo ... • https://wpscan.com/vulnerability/16fc08ec-8476-4f3c-93ea-6a51ed880dd5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1321 – miniOrange's Google Authenticator < 5.5.6 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1321
06 Jun 2022 — The miniOrange's Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) El plugin miniOrange's Google Authenticator de WordPress versiones anteriores a 5.5.6, no sanea ni escapa de algunas de sus configuraciones, lo que conlleva a que usuarios con privilegios de ad... • https://wpscan.com/vulnerability/b8784995-0deb-4c83-959f-52b37881e05c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1010 – Login using WordPress Users < 1.13.4 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1010
06 Jun 2022 — The Login using WordPress Users ( WP as SAML IDP ) WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) El plugin Login using WordPress Users ( WP as SAML IDP ) de WordPress versiones anteriores a 1.13.4, no sanea ni escapa de algunos de sus ajustes, lo que podría permitir a usuarios con altos privi... • https://wpscan.com/vulnerability/e9e4dfbe-01b2-4003-80ed-db1e45f38b2b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1995 – miniOrange's Malware Scanner < 4.5.2 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1995
06 Jun 2022 — The Malware Scanner WordPress plugin before 4.5.2 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) El plugin Malware Scanner de WordPress versiones anteriores a 4.5.2, no sanea y escapa de algunos de sus elementos, conllevando a que usuarios maliciosos con privilegios de administrador puedan almacenar código ... • https://wpscan.com/vulnerability/62fb399d-3327-45d0-b10f-769d2d164903 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •