CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34148 – WordPress Backup Guard Plugin <= 1.6.9.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-34148
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JetBackup JetBackup – WP Backup, Migrate & Restore plugin <= 1.6.9.0 versions. The Backup Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/backup/wordpress-backup-guard-plugin-1-6-8-8-auth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36668 – JetBackup – WP Backup, Migrate & Restore <= 1.4.0 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2020-36668
The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to sensitive information disclosure in versions up to, and including, 1.4.0 due to a lack of proper capability checking on the backup_guard_get_manual_modal function called via an AJAX action. This makes it possible for subscriber-level attackers, and above, to invoke the function and obtain database table information. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2348984%40backup&new=2348984%40backup&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/3e2a9d71-21ef-45a1-99ed-477066ce9620 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36667 – JetBackup – WP Backup, Migrate & Restore <= 1.4.1 - Missing Authorization to Unauthorized Backup Location Change
https://notcve.org/view.php?id=CVE-2020-36667
The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to unauthorized back-up location changes in versions up to, and including 1.4.1 due to a lack of proper capability checking on the backup_guard_cloud_dropbox, backup_guard_cloud_gdrive, and backup_guard_cloud_oneDrive functions. This makes it possible for authenticated attackers, with minimal permissions, such as a subscriber to change to location of back-ups and potentially steal sensitive information from them. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2348984%40backup&new=2348984%40backup&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/59532447-1d74-4d34-85f5-d89b65a001d8 • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36669 – JetBackup – WP Backup, Migrate & Restore <= 1.3.9 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2020-36669
The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.3.9. This is due to missing nonce validation on the backup_guard_get_import_backup() function. This makes it possible for unauthenticated attackers to upload arbitrary files to the vulnerable site's server via a forged request, granted they can trick a site's administrator into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/changeset/2341420 https://www.wordfence.com/threat-intel/vulnerabilities/id/9ae8de00-ba4c-48d2-a566-13dac0bc4312 • CWE-352: Cross-Site Request Forgery (CSRF) •