CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25902 – WordPress Malware Scanner Plugin <= 4.7.2 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2024-25902
12 Feb 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in miniorange Malware Scanner.This issue affects Malware Scanner: from n/a through 4.7.2. The Malware Scanner plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in all versions up to, and including, 4.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with adm... • https://patchstack.com/database/vulnerability/miniorange-malware-protection/wordpress-malware-scanner-plugin-4-7-2-admin-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-52176 – WordPress Malware Scanner plugin <= 4.7.1 - IP Restriction Bypass vulnerability
https://notcve.org/view.php?id=CVE-2023-52176
29 Dec 2023 — Authentication Bypass by Spoofing vulnerability in miniorange Malware Scanner allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Malware Scanner: from n/a through 4.7.1. La vulnerabilidad de omisión de autenticación mediante suplantación de identidad en miniorange Malware Scanner permite acceder a funciones que no están correctamente restringidas por las ACL. Este problema afecta a Malware Scanner: desde n/a hasta 4.7.1. The Malware Scanner plugin for WordPress is vulnerable ... • https://patchstack.com/database/vulnerability/miniorange-malware-protection/wordpress-malware-scanner-plugin-4-7-1-ip-restriction-bypass-vulnerability?_s_id=cve • CWE-290: Authentication Bypass by Spoofing CWE-693: Protection Mechanism Failure •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47776 – WordPress miniorange otp verification plugin <= 4.2.1 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-47776
14 Nov 2023 — Missing Authorization vulnerability in miniOrange miniorange otp verification allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects miniorange otp verification: from n/a through 4.2.1. The miniorange otp verification plugin for WordPress is vulnerable to unauthorized admin notice dismissal due to a missing capability check on the dismiss_notice function in versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with subscriber-level acce... • https://patchstack.com/database/wordpress/plugin/miniorange-otp-verification/vulnerability/wordpress-miniorange-otp-verification-plugin-4-2-1-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47683 – WordPress Social Login, Social Sharing by miniOrange plugin <= 7.6.6 - Authenticated Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2023-47683
09 Nov 2023 — Improper Privilege Management vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Privilege Escalation.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through 7.6.6. Una vulnerabilidad de gestión de privilegios incorrecta en miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) permite la escalada de privilegios. Este problema afecta a miniOrange WordPress Social Login ... • https://patchstack.com/database/vulnerability/miniorange-login-openid/wordpress-social-login-social-sharing-by-miniorange-plugin-7-6-6-authenticated-privilege-escalation-vulnerability?_s_id=cve • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5003 – Active Directory Integration < 4.1.10 - Unauthenticated Log Disclosure
https://notcve.org/view.php?id=CVE-2023-5003
25 Sep 2023 — The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.10 stores sensitive LDAP logs in a buffer file when an administrator wants to export said logs. Unfortunately, this log file is never removed, and remains accessible to any users knowing the URL to do so. El complemento Active Directory Integration / LDAP Integration de WordPress anterior a 4.1.10 almacena registros LDAP confidenciales en un archivo de búfer cuando un administrador desea exportar dichos registros. Desafortunadam... • https://wpscan.com/vulnerability/91f4e500-71f3-4ef6-9cc7-24a7c12a5748 • CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4505 – Staff / Employee Business Directory for Active Directory <= 1.2.3 - Authenticated (Admin+) LDAP Passback
https://notcve.org/view.php?id=CVE-2023-4505
25 Sep 2023 — The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server. El complemento Staff / Employee Business Directory para Active Directory para WordPress es vulnerable a LDAP Pass... • https://medium.com/%40cybertrinchera/cve-2023-4506-cve-2023-4505-ldap-passback-on-miniorange-plugins-ca7328c84313 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4506 – Active Directory Integration / LDAP Integration <= 4.1.9 - Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2023-4506
25 Sep 2023 — The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server. El complemento de integración de Active Directory Integration / LDAP para WordPress es vulnerable a LDAP Passback en vers... • https://medium.com/%40cybertrinchera/cve-2023-4506-cve-2023-4505-ldap-passback-on-miniorange-plugins-ca7328c84313 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4757 – Staff / Employee Business Directory for Active Directory < 1.2.3 - Improper escaping of LDAP entries
https://notcve.org/view.php?id=CVE-2023-4757
08 Sep 2023 — The Staff / Employee Business Directory for Active Directory WordPress plugin before 1.2.3 does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin. El complemento de WordPress Staff / Employee Business Directory para Active Directory anterior a 1.2.3 no sanitiza ni escapa los datos devueltos por el ser... • https://wpscan.com/vulnerability/0b953413-cf41-4de7-ac1f-c6cb995fb158 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-116: Improper Encoding or Escaping of Output •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41873 – WordPress SAML Single Sign On – SSO Login plugin <= 5.0.4 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-41873
05 Sep 2023 — Missing Authorization vulnerability in miniOrange SAML SP Single Sign On allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SAML SP Single Sign On: from n/a through 5.0.4. The SAML SP Single Sign On plugin for WordPress is vulnerable to unauthorized notice dismissal due to a missing capability check on the close_welcome_modal function in versions up to, and including, 5.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to... • https://patchstack.com/database/wordpress/plugin/miniorange-saml-20-single-sign-on/vulnerability/wordpress-saml-single-sign-on-sso-login-plugin-5-0-4-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2023-4238 – Prevent files / folders access < 2.5.2 - Admin+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-4238
28 Aug 2023 — The Prevent files / folders access WordPress plugin before 2.5.2 does not validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server. El complemento Impedir el acceso a archivos/carpetas de WordPress anteriores a 2.5.2 no valida los archivos que se cargarán, lo que podría permitir a los atacantes cargar archivos arbitrarios como PHP en el servidor. The Prevent files / folders access plugin for WordPress is vulnerable to arbitrary file uploads due to missin... • https://github.com/codeb0ss/CVE-2023-4238-PoC • CWE-434: Unrestricted Upload of File with Dangerous Type •