CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40001 – WordPress iThemes Sync plugin <= 2.1.13 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-40001
25 Aug 2023 — Missing Authorization vulnerability in SolidWP iThemes Sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iThemes Sync: from n/a through 2.1.13. The iThemes Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.13. This is due to missing or incorrect nonce validation on the hide_authenticate_notice function. This makes it possible for unauthenticated attackers to hide admin notices via a forged request granted... • https://patchstack.com/database/wordpress/plugin/ithemes-sync/vulnerability/wordpress-ithemes-sync-plugin-2-1-13-broken-access-control-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 10%CPEs: 1EXPL: 1CVE-2022-4897 – BackupBuddy < 8.8.3 - Multiple Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-4897
30 Jan 2023 — The BackupBuddy WordPress plugin before 8.8.3 does not sanitise and escape some parameters before outputting them back in various places, leading to Reflected Cross-Site Scripting The BackupBuddy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting several parameters in versions up to, and including, 8.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfu... • https://wpscan.com/vulnerability/7b0eeafe-b9bc-43b2-8487-a23d3960f73f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 10%CPEs: 1EXPL: 0CVE-2023-23643 – MainWP iThemes Security Extension <= 4.1.1 - Missing Authorization to Arbitrary Plugin Activation
https://notcve.org/view.php?id=CVE-2023-23643
17 Jan 2023 — The MainWP iThemes Security Extension plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 4.1.1 due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to activate arbitrary plugins. • CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 92%CPEs: 1EXPL: 0CVE-2022-31474 – WordPress BackupBuddy Plugin 8.5.8.0-8.7.4.1 is vulnerable to Directory Traversal
https://notcve.org/view.php?id=CVE-2022-31474
06 Sep 2022 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in iThemes BackupBuddy allows Path Traversal.This issue affects BackupBuddy: from 8.5.8.0 through 8.7.4.1. The BackupBuddy plugin for WordPress is vulnerable to unauthenticated arbitrary file downloads via the 'local-download' found in the backupbuddy_local_download() function in versions 8.5.8.0 to 8.7.4.1. This is due to a missing capability check and nonce check on the affected function that is called via an admi... • https://ithemes.com/blog/wordpress-vulnerability-report-special-edition-september-6-2022-backupbuddy • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-73: External Control of File Name or Path •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36176 – iThemes Security <= 7.6.1 - Broken Password Mechanism
https://notcve.org/view.php?id=CVE-2020-36176
06 Jan 2021 — The iThemes Security (formerly Better WP Security) plugin before 7.7.0 for WordPress does not enforce a new-password requirement for an existing account until the second login occurs. El plugin iThemes Security (anteriormente Better WP Security) versiones anteriores a 7.7.0 para WordPress, no aplica el requisito de una nueva contraseña para una cuenta existente hasta que el segundo inicio de sesión ocurre • https://wordpress.org/plugins/better-wp-security/#developers • CWE-286: Incorrect User Management CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 88%CPEs: 1EXPL: 0CVE-2020-14092 – Payment Form for PayPal Pro < 1.1.65 - SQL Injection
https://notcve.org/view.php?id=CVE-2020-14092
02 Jul 2020 — The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for WordPress allows SQL Injection. El CodePeople Payment Form para el plugin PayPal Pro versiones anteriores a 1.1.65 para WordPress, permite una inyección SQL The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for WordPress allows SQL Injection via query parameter. • https://wordpress.dwbooster.com/forms/payment-form-for-paypal-pro • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 49%CPEs: 1EXPL: 3CVE-2018-12636 – iThemes Security <= 7.0.2 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2018-12636
22 Jun 2018 — The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page. El plugin iThemes Security (better-wp-security) en versiones anteriores a la 7.0.3 para WordPress permite la inyección SQL (por atacantes con privilegios Admin) mediante la página de logs. WordPress iThemes Security plugin versions prior to 7.0.3 suffer from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/148294 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7433 – iThemes Security <= 6.9.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-7433
02 Mar 2018 — The iThemes Security plugin before 6.9.1 for WordPress does not properly perform data escaping for the logs page. El plugin iThemes Security, en versiones anteriores a la 6.9.1, para WordPress no realiza correctamente el escapado de datos para la página de logs. • https://wordpress.org/plugins/better-wp-security/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9363 – iThemes Exchange < 1.12.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-9363
20 Apr 2015 — iThemes Exchange before 1.12.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). iThemes Exchange versiones anteriores a 1.12.0 para WordPress, tiene una vulnerabilidad de tipo XSS por medio de las funciones add_query_arg() y remove_query_arg(). • https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9365 – Authorize.net Add-on for iThemes Exchange < 1.1.0 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-9365
20 Apr 2015 — Authorize.net Add-on for iThemes Exchange before 1.1.0 for WordPress has XSS via add_query_arg() and remove_query_arg(). El Add-on Authorize.net para iThemes Exchange versiones anteriores a 1.1.0 para WordPress, tiene una vulnerabilidad de tipo XSS por medio de las funciones add_query_arg() y remove_query_arg(). • https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •