CVSS: 5.4EPSS: %CPEs: 1EXPL: 0CVE-2023-23644 – MainWP Page Speed Extension <= 4.0.2 - Missing Authorization to Arbitrary Plugin Activation
https://notcve.org/view.php?id=CVE-2023-23644
The MainWP Page Speed Extension plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 4.0.2 due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to activate arbitrary plugins. • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: %CPEs: 1EXPL: 0CVE-2023-23666 – MainWP Post Plus Extension <= 4.0.3 - Missing Authorization to Arbitrary Page/Post Deletion
https://notcve.org/view.php?id=CVE-2023-23666
The MainWP Post Plus Extension plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 4.0.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts and pages. • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: %CPEs: 1EXPL: 0CVE-2023-23669 – MainWP Wordfence Extension <= 4.0.7 - Missing Authorization to Plugin Settings Change
https://notcve.org/view.php?id=CVE-2023-23669
The MainWP Wordfence Extension plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 4.0.7 due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the plugin's settings. • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: %CPEs: 1EXPL: 0CVE-2023-23648 – MainWP Rocket Extension <= 4.0.3 - Missing Authorization to Arbitrary Plugin Activation
https://notcve.org/view.php?id=CVE-2023-23648
The MainWP Rocket Extension plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 4.0.3 due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to activate arbitrary plugins. • CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24877 – MainWP Child < 4.1.8 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24877
The MainWP Child WordPress plugin before 4.1.8 does not validate the orderby and order parameter before using them in a SQL statement, leading to an SQL injection exploitable by high privilege users such as admin when the Backup and Staging by WP Time Capsule plugin is installed El plugin MainWP Child de WordPress versiones anteriores a 4.1.8, no comprueba los parámetros orderby y order antes de usarlos en una sentencia SQL, conllevando a una inyección SQL explotable por usuarios con altos privilegios como el administrador cuando es instalado el plugin Backup and Staging by WP Time Capsule • https://wpscan.com/vulnerability/b09fe120-ab9b-44f2-b50d-3b4b299d6d15 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •