CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43277 – WordPress UsersWP plugin <= 1.2.15 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-43277
16 Aug 2024 — Missing Authorization vulnerability in AyeCode Ltd UsersWP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UsersWP: from n/a through 1.2.15. The UsersWP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activation_redirect() function in versions up to, and including, 1.2.15. This makes it possible for unauthenticated attackers to trigger the activation redirect. • https://patchstack.com/database/vulnerability/userswp/wordpress-userswp-plugin-1-2-15-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6477 – UsersWP < 1.2.12 - Users Information Disclosure
https://notcve.org/view.php?id=CVE-2024-6477
13 Jul 2024 — The UsersWP WordPress plugin before 1.2.12 uses predictable filenames when an admin generates an export, which could allow unauthenticated attackers to download them and retrieve sensitive information such as IP, username, and email address The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.11due to insufficient protections on the '/uploads/cache/'... • https://wpscan.com/vulnerability/346c855a-4d42-4a87-aac9-e5bfc2242b16 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31936 – WordPress UsersWP plugin < 1.2.6 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-31936
10 Apr 2024 — Cross-Site Request Forgery (CSRF) vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a before 1.2.6. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en AyeCode Ltd UsersWP. Este problema afecta a UsersWP: desde n/a antes de 1.2.6. The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing or incorrect n... • https://patchstack.com/database/vulnerability/userswp/wordpress-userswp-front-end-login-form-user-registration-user-profile-members-directory-plugin-for-wordpress-plugin-1-2-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47442 – WordPress UsersWP Plugin <= 1.2.3.9 is vulnerable to CSV Injection
https://notcve.org/view.php?id=CVE-2022-47442
21 Dec 2022 — Improper Neutralization of Formula Elements in a CSV File vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a through 1.2.3.9. Neutralización inadecuada de elementos de fórmula en una vulnerabilidad de CSV File en AyeCode Ltd UsersWP. Este problema afecta a UsersWP: desde n/a hasta 1.2.3.9. The UsersWP plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.2.3.9 via the process_users_export function. This allows administrator-level attackers to embed un... • https://patchstack.com/database/vulnerability/userswp/wordpress-userswp-front-end-login-form-user-registration-user-profile-members-directory-plugin-for-wordpress-plugin-1-2-3-9-csv-injection?_s_id=cve • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0442 – UsersWP < 1.2.3.1 - Subscriber+ User Avatar Override
https://notcve.org/view.php?id=CVE-2022-0442
14 Feb 2022 — The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. El plugin UsersWP de WordPress versiones anteriores a 1.2.3.1, no presenta controles de acceso cuando es actualizada el avatar de un usuario, y no es asegurado de que los nombres de los archivos de los avatares de los usuarios sean únicos, permitiendo a un usuario conectado sobrescribir ... • https://wpscan.com/vulnerability/9cf0822a-c9d6-4ebc-b905-95b143d1a692 • CWE-639: Authorization Bypass Through User-Controlled Key •