CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10585 – InfiniteWP Client <= 1.13.0 - Unauthenticated Limited Directory Traversal to Arbitrary .txt File Reading
https://notcve.org/view.php?id=CVE-2024-10585
07 Jan 2025 — The InfiniteWP Client plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.13.0 via the 'historyID' parameter of the ~/debug-chart/index.php file. This makes it possible for unauthenticated attackers to read .txt files outside of the intended directory. • https://plugins.svn.wordpress.org/iwp-client/tags/1.13.0/debug-chart/index.php • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 87%CPEs: 1EXPL: 7CVE-2024-8856 – Backup and Staging by WP Time Capsule <= 1.22.21 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8856
15 Nov 2024 — The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access prevention in all versions up to, and including, 1.22.21. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. WordPress Backup and Staging plugin versions 1.21.16 and below suffer from a remote shell upload vu... • https://packetstorm.news/files/id/183146 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 8%CPEs: 1EXPL: 3CVE-2023-2916 – InfiniteWP Client <= 1.11.1 - Authenticated (Subscriber+) Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2023-2916
14 Aug 2023 — The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which woul... • https://github.com/d0rb/CVE-2023-2916 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25035 – Backup and Staging by WP Time Capsule < 1.22.7 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25035
21 Dec 2021 — The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting El plugin Backup and Staging by WP Time Capsule de WordPress versiones anteriores a 1.22.7, no comprueba ni escapa del parámetro error antes de devolverlo a una página de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2641264 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 93%CPEs: 1EXPL: 1CVE-2020-8772 – InfiniteWP Client <= 1.9.4.4 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-8772
14 Jan 2020 — The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_mmb_set_request in init.php. Any attacker who knows the username of an administrator can log in. El plugin InfiniteWP Client versiones anteriores a 1.9.4.5 para WordPress, presenta una falta de comprobación de autorización en la función iwp_mmb_set_request en el archivo init.php. Cualquier atacante que conozca el nombre de usuario de un administrador puede iniciar sesión. • https://wpvulndb.com/vulnerabilities/10011 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 2CVE-2016-15004 – InfiniteWP Client Plugin injection
https://notcve.org/view.php?id=CVE-2016-15004
25 Jan 2017 — A vulnerability was found in InfiniteWP Client Plugin 1.5.1.3/1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to injection. The attack can be launched remotely. • http://seclists.org/fulldisclosure/2017/Jan/72 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •