CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3082 – miniOrange Discord Integration < 2.1.6 - Subscriber+ App Disabling
https://notcve.org/view.php?id=CVE-2022-3082
The miniOrange Discord Integration WordPress plugin before 2.1.6 does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example El plugin miniOrange Discord Integration de WordPress versiones anteriores a 2.1.6, no presenta autorización y de tipo CSRF en algunas de sus acciones AJAX, lo que permite a cualquier usuario con sesión iniciada, como el suscriptor, llamar y deshabilitar la aplicación, por ejemplo The miniOrange Discord Integration plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on an several AJAX actions including 'mo_discord_check_capp_enable' and 'mo_discord_custom_app_enable_change_update' in versions up to, and including, 2.1.5. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke those functions leading to plugin options update. • https://wpscan.com/vulnerability/a91d0501-c2a9-4c6c-b5da-b3fc29442a4f • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34149 – WordPress WP OAuth Server plugin <= 3.0.4 - Authentication Bypass vulnerability
https://notcve.org/view.php?id=CVE-2022-34149
Authentication Bypass vulnerability in miniOrange WP OAuth Server plugin <= 3.0.4 at WordPress. Una vulnerabilidad de Omisión de Autenticación en el plugin miniOrange WP OAuth Server versiones anteriores a 3.0.4 incluyéndola, en WordPress. The plugin WP OAuth Server for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0.4. This makes it possible for attackers to gain administrative access to affected sites. • https://lana.codes/lanavdb/6d794d65-d44b-4099-94c5-3dd2995b218c?_s_id=cve https://patchstack.com/database/vulnerability/miniorange-oauth-20-server/wordpress-wp-oauth-server-plugin-3-0-4-authentication-bypass-vulnerability?_s_id=cve • CWE-264: Permissions, Privileges, and Access Controls CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2133 – OAuth Single Sign On < 6.22.6 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2022-2133
The OAuth Single Sign On WordPress plugin before 6.22.6 doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address. El plugin OAuth Single Sign On de WordPress versiones anteriores a 6.22.6, no comprueba que las peticiones de token de acceso OAuth sean legítimas, lo que permite a atacantes entrar en el sitio con el único conocimiento de la dirección de correo electrónico de un usuario • https://wpscan.com/vulnerability/e76939ca-180f-4472-a26a-e0c36cfd32de • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34858 – WordPress OAuth 2.0 client for SSO plugin <= 1.11.3 - Authentication Bypass vulnerability
https://notcve.org/view.php?id=CVE-2022-34858
Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress. Una vulnerabilidad de elusión de autenticación en el cliente miniOrange Oauth versión 2.0 para el plugin SSO versiones anteriores a 1.11.3 incluyéndola, en WordPress. The OAuth 2.0 client for SSO plugin for WordPress is vulnerable to authentication bypass in versions up to, and including 1.11.3. This is due to the plugin accepting a user supplied email address that is passed to wp_set_auth_cookie() with no further identity validation to verify that the email supplied belongs to the user trying to log in with that email address. This makes it possible for unauthenticated attackers to log in as a site administrator granted they have access to a site admin's email address. • https://lana.codes/lanavdb/df23b19f-4134-41d3-8cb3-9d44189b461b?_s_id=cve https://patchstack.com/database/vulnerability/oauth-client/wordpress-oauth-2-0-client-for-sso-plugin-1-11-3-authentication-bypass-vulnerability?_s_id=cve • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1994 – Google Authenticator < 1.0.8 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1994
The Login With OTP Over SMS, Email, WhatsApp and Google Authenticator WordPress plugin before 1.0.8 does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed El plugin Login With OTP Over SMS, Email, WhatsApp and Google Authenticator de WordPress versiones anteriores a 1.0.8, no escapa a su configuración, permitiendo a usuarios con altos privilegios, como los administradores, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando unfiltered_html no está permitido • https://wpscan.com/vulnerability/114d94be-b567-4b4b-9a44-f2c05cdbe18e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •