CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4943 – miniOrange's Google Authenticator <= 5.6.5 - Missing Authorization to Plugin Settings Change
https://notcve.org/view.php?id=CVE-2022-4943
19 Apr 2023 — The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings. El complemento Google Authenticator de miniOrange para WordPress es vulnerable a la omisión de autorización debido a una falta de verificación de capacidad al cambiar la configuración del complemento en versiones hasta la 5.... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2842228%40miniorange-2-factor-authentication%2Ftrunk&old=2815645%40miniorange-2-factor-authentication%2Ftrunk&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-44589 – WordPress miniOrange's Google Authenticator Plugin <= 5.6.1 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2022-44589
23 Nov 2022 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login.This issue affects miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login: from n/a through 5.6.1. Vulnerabilidad de exposición de información confidencial a un actor no autorizado en miniOrange miniOrange's Google Aut... • https://patchstack.com/database/vulnerability/miniorange-2-factor-authentication/wordpress-miniorange-two-factor-authentication-plugin-5-6-1-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-42461 – WordPress miniOrange's Google Authenticator plugin <= 5.6.1 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2022-42461
31 Oct 2022 — Broken Access Control vulnerability in miniOrange's Google Authenticator plugin <= 5.6.1 on WordPress. Vulnerabilidad de control de acceso roto en el complemento miniOrange's Google Authenticator de WordPress en versiones <= 5.6.1. The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.1. This makes it possible for authenticated attackers, with subscriber-level p... • https://patchstack.com/database/vulnerability/miniorange-2-factor-authentication/wordpress-miniorange-s-google-authenticator-plugin-5-6-1-broken-access-control-vulnerability?_s_id=cve • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1321 – miniOrange's Google Authenticator < 5.5.6 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1321
06 Jun 2022 — The miniOrange's Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfiltered_html is disallowed (for example in multisite setup) El plugin miniOrange's Google Authenticator de WordPress versiones anteriores a 5.5.6, no sanea ni escapa de algunas de sus configuraciones, lo que conlleva a que usuarios con privilegios de ad... • https://wpscan.com/vulnerability/b8784995-0deb-4c83-959f-52b37881e05c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0875 – miniOrange Google Authenticator < 1.0.5 - CSRF to Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0875
06 Jun 2022 — The Google Authenticator WordPress plugin before 1.0.5 does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks El plugin Google Authenticator de WordPress versiones anteriores a 1.0.5, no presenta una comprobación de tipo CSRF cuando guarda sus ajustes, y no los sanea así como los escapa, permitiendo a atacantes hacer que un administrador conectado los cambie y lleve a c... • https://wpscan.com/vulnerability/fefc1411-594d-465b-aeb9-78c141b23762 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0229 – miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion
https://notcve.org/view.php?id=CVE-2022-0229
28 Feb 2022 — The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable. El plugin Google Authenticator de miniOrange de WordPress versiones anteriores a 5.5, no presenta comprobaciones apropiadas de autorización y de tipo CSRF cuando maneja el reconfigureMethod, y no c... • https://wpscan.com/vulnerability/d70c5335-4c01-448d-85fc-f8e75b104351 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •