CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2505 – GamiPress < 6.8.9 - Broken Access Control
https://notcve.org/view.php?id=CVE-2024-2505
The GamiPress WordPress plugin before 6.8.9's access control mechanism fails to properly restrict access to its settings, permitting Authors to manipulate requests and extend access to lower privileged users, like Subscribers, despite initial settings prohibiting such access. This vulnerability resembles broken access control, enabling unauthorized users to modify critical GamiPress WordPress plugin before 6.8.9 configurations. El mecanismo de control de acceso del complemento GamiPress WordPress anterior a 6.8.9 no restringe adecuadamente el acceso a su configuración, lo que permite a los autores manipular solicitudes y extender el acceso a usuarios con privilegios más bajos, como suscriptores, a pesar de que la configuración inicial prohíbe dicho acceso. Esta vulnerabilidad se asemeja a un control de acceso roto, lo que permite a usuarios no autorizados modificar el complemento crítico de GamiPress WordPress antes de las configuraciones 6.8.9. The GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to broken access control in all versions up to, and including, 6.8.8. • https://wpscan.com/vulnerability/9b3d6148-ecee-4e59-84a4-3b3e9898473b • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30455 – WordPress GamiPress plugin <= 6.8.5 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-30455
Cross-Site Request Forgery (CSRF) vulnerability in GamiPress.This issue affects GamiPress: from n/a through 6.8.5. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en GamiPress. Este problema afecta a GamiPress: desde n/a hasta 6.8.5. The GamiPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.8.5. This is due to missing or incorrect nonce validation. • https://patchstack.com/database/vulnerability/gamipress/wordpress-gamipress-plugin-6-8-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25697 – WordPress GamiPress plugin <= 2.5.6 - CSRF Leading to Settings Change Vulnerability
https://notcve.org/view.php?id=CVE-2023-25697
Cross-Site Request Forgery (CSRF) vulnerability in GamiPress.This issue affects GamiPress: from n/a through 2.5.6. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en GamiPress. Este problema afecta a GamiPress: desde n/a hasta 2.5.6. The GamiPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.6. This is due to missing or incorrect nonce validation on the bulk_delete function. • https://patchstack.com/database/vulnerability/gamipress/wordpress-gamipress-plugin-2-5-6-csrf-leading-to-settings-change-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-24000 – WordPress GamiPress Plugin <= 2.5.7 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-24000
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GamiPress gamipress allows SQL Injection.This issue affects GamiPress: from n/a through 2.5.7. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en GamiPress gamipress permite la inyección SQL. Este problema afecta a GamiPress: desde n/a hasta 2.5.7. The GamiPress plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.5.7 due to insufficient escaping on the user supplied parameter '$qv[$field_id]' and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/gamipress/wordpress-gamipress-plugin-2-5-7-unauthenticated-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25715 – WordPress GamiPress Plugin <= 2.5.6 is vulnerable to Broken Access Control
https://notcve.org/view.php?id=CVE-2023-25715
Missing Authorization vulnerability in GamiPress GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress.This issue affects GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress: from n/a through 2.5.6. Vulnerabilidad de autorización faltante en GamiPress GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress. Este problema afecta a GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress: de n/a hasta 2.5.6. The GamiPress plugin for WordPress is vulnerable to unauthorized modification of user data due to a missing capability check on the gamipress_ajax_profile_update_user_points function in versions up to, and including, 2.5.6. This makes it possible for authenticated attackers with subscriber-level access or higher to manipulate rewards points of other users. • https://patchstack.com/database/vulnerability/gamipress/wordpress-gamipress-plugin-2-5-6-missing-authorization-leading-to-points-manipulation-vulnerability?_s_id=cve • CWE-862: Missing Authorization •