CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54326 – WordPress GEO my WP plugin <= 4.5.0.4 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-54326
11 Dec 2024 — Missing Authorization vulnerability in Eyal Fitoussi GEO my WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GEO my WordPress: from n/a through 4.5.0.4. The GEO my WordPress plugin for WordPress is vulnerable to unauthorized access to data due to a missing capability check on the get_field_options_ajax function in versions up to, and including, 4.5.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to obtain pl... • https://patchstack.com/database/wordpress/plugin/geo-my-wp/vulnerability/wordpress-geo-my-wp-plugin-4-5-0-4-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2024-9422 – GEO My WordPress < 4.5 - Admin+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9422
31 Oct 2024 — The GEO my WP WordPress plugin before 4.5, gmw-premium-settings WordPress plugin before 3.1 does not sufficiently validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server. The GEO My WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in versions up to, and including 4.4.0.2 (or version up to 3.1 for premium). This makes it possible for authenticated attackers, with Administrator-level access and abo... • https://wpscan.com/vulnerability/81320923-767c-43f0-a8eb-b398c306c16f • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47327 – WordPress GEO my WP plugin <= 4.5.0.3 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-47327
25 Sep 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Eyal Fitoussi GEO my WordPress allows Reflected XSS.This issue affects GEO my WordPress: from n/a through 4.5.0.3. The GEO my WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.5.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages th... • https://patchstack.com/database/vulnerability/geo-my-wp/wordpress-geo-my-wp-plugin-4-5-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2024-6330 – GEO my WordPress < 4.4.0.2 - Unauthenticated RCE via LFI
https://notcve.org/view.php?id=CVE-2024-6330
29 Jul 2024 — The GEO my WP WordPress plugin before 4.5.0.2 does not prevent unauthenticated attackers from including arbitrary files in PHP's execution context, which leads to Remote Code Execution. The GEO my WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.5.0.1 via the 'form[info_window_template][content_path]' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code... • https://github.com/RandomRobbieBF/CVE-2024-6330 • CWE-94: Improper Control of Generation of Code ('Code Injection') •