CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39635 – WordPress Youzify plugin <= 1.2.6 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-39635
24 Jul 2024 — Missing Authorization vulnerability in KaineLabs Youzify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Youzify: from n/a through 1.2.6. The Youzify plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action. • https://patchstack.com/database/vulnerability/youzify/wordpress-youzify-plugin-1-2-6-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37494 – WordPress Youzify plugin <= 1.2.5 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-37494
04 Jul 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in KaineLabs Youzify.This issue affects Youzify: from n/a through 1.2.5. Neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en KaineLabs Youzify. Este problema afecta a Youzify: desde n/a hasta 1.2.5. The Youzify plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.2.5 due to insufficient escaping on the user su... • https://patchstack.com/database/vulnerability/youzify/wordpress-youzify-plugin-1-2-5-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4742 – Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.2.5 - Authenticated (Contributor+) SQL Injection
https://notcve.org/view.php?id=CVE-2024-4742
19 Jun 2024 — The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the order_by shortcode attribute in all versions up to, and including, 1.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries th... • https://plugins.trac.wordpress.org/browser/youzify/trunk/includes/public/core/functions/youzify-account-verification-functions.php#L294 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47191 – WordPress Youzify Plugin <= 1.2.2 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-47191
03 Nov 2023 — Authorization Bypass Through User-Controlled Key vulnerability in KaineLabs Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress.This issue affects Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress: from n/a through 1.2.2. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en KaineLabs Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress. Est... • https://patchstack.com/database/vulnerability/youzify/wordpress-youzify-plugin-1-2-2-insecure-direct-object-reference-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0059 – Youzify < 1.2.2 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0059
24 Jan 2023 — The Youzify WordPress plugin before 1.2.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied att... • https://wpscan.com/vulnerability/5e26c485-9a5a-44a3-95b3-6c063a1c321c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1950 – Youzify < 1.2.0 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-1950
13 Jul 2022 — The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection El plugin Youzify de WordPress versiones anteriores a 1.2.0, no sanea y escapa de un parámetro antes de usarlo en una sentencia SQL por medio de una acción AJAX disponible para usuarios no autenticados, conllevando a una inyección SQL no autenticada The Youzify Plugin for WordPress is vulnerabl... • https://wpscan.com/vulnerability/4352283f-dd43-4827-b417-0c55d0f4637d • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24443 – Youzify < 1.0.7 - Stored Cross-Site Scripting via Biography
https://notcve.org/view.php?id=CVE-2021-24443
28 Jun 2021 — The About Me widget of the Youzify – BuddyPress Community, User Profile, Social Network & Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue... • https://wpscan.com/vulnerability/a4432acd-df49-4a4f-8184-b55cdd5d4d34 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •