CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23651 – WordPress MainWP Google Analytics Extension Plugin <= 4.0.4 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-23651
Auth. (subscriber+) SQL Injection (SQLi) vulnerability in MainWP Google Analytics Extension plugin <= 4.0.4 versions. Vulnerabilidad de inyección SQL (SQLi) autenticada (con permisos de suscriptor o superiores) en el complemento MainWP Google Analytics Extension en versiones <= 4.0.4. The MainWP Google Analytics Extension for WordPress are vulnerable to SQL Injection via an unknown parameter due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber level privileges or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/mainwp-google-analytics-extension/wordpress-mainwp-google-analytics-extension-plugin-4-0-4-subscriber-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23652 – MainWP Google Analytics Extension <= 4.0.4 - Missing Authorization to Plugin Settings Change
https://notcve.org/view.php?id=CVE-2023-23652
The MainWP Google Analytics Extension plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 4.0.4 due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the plugin's settings. • CWE-862: Missing Authorization •