CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 3CVE-2023-2916 – InfiniteWP Client <= 1.11.1 - Authenticated (Subscriber+) Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2023-2916
The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges. El plugin InfiniteWP Client para WordPress es vulnerable a la Exposición de Información Sensible en versiones hasta, e incluyendo, 1.11.1 a través de la función 'admin_notice'. • https://github.com/d0rb/CVE-2023-2916 https://plugins.trac.wordpress.org/browser/iwp-client/tags/1.11.1/core.class.php#L365 https://plugins.trac.wordpress.org/changeset/2925897/iwp-client#file4 https://www.wordfence.com/threat-intel/vulnerabilities/id/aa157c80-447f-4406-9e49-9cc6208b7b19?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 9.8EPSS: 96%CPEs: 1EXPL: 1CVE-2020-8772 – InfiniteWP Client <= 1.9.4.4 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2020-8772
The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missing authorization check in iwp_mmb_set_request in init.php. Any attacker who knows the username of an administrator can log in. El plugin InfiniteWP Client versiones anteriores a 1.9.4.5 para WordPress, presenta una falta de comprobación de autorización en la función iwp_mmb_set_request en el archivo init.php. Cualquier atacante que conozca el nombre de usuario de un administrador puede iniciar sesión. • https://wpvulndb.com/vulnerabilities/10011 https://www.webarxsecurity.com/vulnerability-infinitewp-client-wp-time-capsule • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 2CVE-2016-15004 – InfiniteWP Client Plugin injection
https://notcve.org/view.php?id=CVE-2016-15004
A vulnerability was found in InfiniteWP Client Plugin 1.5.1.3/1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to injection. The attack can be launched remotely. • http://seclists.org/fulldisclosure/2017/Jan/72 https://sumofpwn.nl/advisory/2016/infinitewp_client_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html https://vuldb.com/?id.96073 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •