CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-44737 – WordPress All In One WP Security plugin <= 5.1.0 - Multiple Cross-Site Request Forgery (CSRF) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-44737
Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) – Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress. Múltiples vulnerabilidades de Cross-Site Request Forgery en el complemento All-In-One Security (AIOS) Security and Firewall en WordPress en versiones <= 5.1.0. The All In One WP Security & Firewall plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to incorrect nonce validation on the functions 'render_login_whitelist', 'render_rename_login', 'render_honeypot' functions and possible others. This makes it possible for unauthenticated attackers to perform bulk actions on the plugin's list tables (such as deleting blocked IP entries) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/all-in-one-wp-security-and-firewall/wordpress-all-in-one-wp-security-plugin-5-1-0-multiple-cross-site-request-forgery-csrf-vulnerabilities?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25102 – All In One WP Security < 4.4.11 - Authenticated Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25102
The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk El plugin All In One WP Security & Firewall de WordPress versiones anteriores a 4.4.11, no comprueba, sanea y escapa del parámetro redirect_to antes de usarlo para redirigir al usuario, ya sea por medio de un encabezado Location, o un atributo meta url, cuando la página Rename Login está activa, lo que podría conllevar a un problema de Redireccionamiento Arbitrario así como de tipo Cross-Site Scripting. La explotación de este problema requiere que sea conocido el valor de la URL de la página de inicio de sesión, que debería ser difícil de adivinar, reduciendo el riesgo • https://wpscan.com/vulnerability/9b8a00a6-622b-4309-bbbf-fe2c7fc9f8b6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10887 – All In One WP Security & Firewall <= 4.0.8 - SQL Injection
https://notcve.org/view.php?id=CVE-2016-10887
The all-in-one-wp-security-and-firewall plugin before 4.0.9 for WordPress has multiple SQL injection issues. El plugin all-in-one-wp-security-and-firewall versiones anteriores a 4.0.9 para WordPress, presenta múltiples problemas de inyección SQL. • https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10866 – All In One WP Security & Firewall <= 4.1.9 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-10866
The all-in-one-wp-security-and-firewall plugin before 4.2.0 for WordPress has multiple XSS issues. El complemento todo-en-uno-wp-security-and-firewall versión anterior a 4.2.0 para WordPress tiene múltiples problemas XSS. The all-in-one-wp-security-and-firewall plugin before 4.2.0 for WordPress has multiple XSS issues via the 'tab' parameter. • https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10888 – All In One WP Security & Firewall <= 4.0.6 - SQL Injection
https://notcve.org/view.php?id=CVE-2016-10888
The all-in-one-wp-security-and-firewall plugin before 4.0.7 for WordPress has multiple SQL injection issues. El plugin all-in-one-wp-security-and-firewall versiones anteriores a 4.0.7 para WordPress, presenta múltiples problemas de inyección SQL. • https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#developers • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •