CVSS: 6.4EPSS: 10%CPEs: 1EXPL: 1CVE-2022-4897 – BackupBuddy < 8.8.3 - Multiple Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-4897
30 Jan 2023 — The BackupBuddy WordPress plugin before 8.8.3 does not sanitise and escape some parameters before outputting them back in various places, leading to Reflected Cross-Site Scripting The BackupBuddy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting several parameters in versions up to, and including, 8.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfu... • https://wpscan.com/vulnerability/7b0eeafe-b9bc-43b2-8487-a23d3960f73f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 92%CPEs: 1EXPL: 0CVE-2022-31474 – WordPress BackupBuddy Plugin 8.5.8.0-8.7.4.1 is vulnerable to Directory Traversal
https://notcve.org/view.php?id=CVE-2022-31474
06 Sep 2022 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in iThemes BackupBuddy allows Path Traversal.This issue affects BackupBuddy: from 8.5.8.0 through 8.7.4.1. The BackupBuddy plugin for WordPress is vulnerable to unauthenticated arbitrary file downloads via the 'local-download' found in the backupbuddy_local_download() function in versions 8.5.8.0 to 8.7.4.1. This is due to a missing capability check and nonce check on the affected function that is called via an admi... • https://ithemes.com/blog/wordpress-vulnerability-report-special-edition-september-6-2022-backupbuddy • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-73: External Control of File Name or Path •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 2CVE-2013-2741 – BackupBuddy < 3.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2013-2741
24 Mar 2013 — importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress does not require that authentication be enabled, which allows remote attackers to obtain sensitive information, or overwrite or delete files, via vectors involving a (1) direct request, (2) step=1 request, (3) step=2 or step=3 request, or (4) step=7 request. importbuddy.php en el complemento BackupBuddy v1.3.4, v2.1.4, v2.2.25, v2.2.28, y v2.2.4 para WordPress no requiere autenticación, lo que permite a atacantes... • http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 2CVE-2013-2742 – BackupBuddy < 3.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2013-2742
24 Mar 2013 — importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress does not reliably delete itself after completing a restore operation, which makes it easier for remote attackers to obtain access via subsequent requests to this script. importbuddy.php en el plugin de BackupBuddy v1.3.4, v2.1.4, v2.2.25, v2.2.28 y v2.2.4 para WordPress no es fiable queda eliminado tras completar una operación de restauración, lo que hace que sea más fácil para los atacantes remotos obtener acces... • http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 2CVE-2013-2743 – BackupBuddy < 3.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2013-2743
24 Mar 2013 — importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress allows remote attackers to bypass authentication via a crafted integer in the step parameter. importbuddy.php en el complemento BackupBuddy v1.3.4, v2.1.4, v2.2.25, v2.2.28, y v2.2.4 para WordPress que permite a atacantes remotos evitar autenticaciones a través del parámetro step manipulando el entero. • http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 2CVE-2013-2744 – BackupBuddy <= 2.2.28 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2013-2744
24 Mar 2013 — importbuddy.php in the BackupBuddy plugin 2.2.25 for WordPress allows remote attackers to obtain configuration information via a step 0 phpinfo action, which calls the phpinfo function. importbuddy.php en el plugin para WordPress BackupBuddy v2.2.25 permite a atacantes remotos obtener información de configuración a través de una acción "step 0 phpinfo", que llama a la función phpinfo. The BackupBuddy plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.2.28 via a... • http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •