CVE-2024-43277 – WordPress UsersWP plugin <= 1.2.15 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-43277
Missing Authorization vulnerability in AyeCode Ltd UsersWP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UsersWP: from n/a through 1.2.15. The UsersWP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activation_redirect() function in versions up to, and including, 1.2.15. This makes it possible for unauthenticated attackers to trigger the activation redirect. • https://patchstack.com/database/vulnerability/userswp/wordpress-userswp-plugin-1-2-15-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2024-6477 – UsersWP < 1.2.12 - Users Information Disclosure
https://notcve.org/view.php?id=CVE-2024-6477
The UsersWP WordPress plugin before 1.2.12 uses predictable filenames when an admin generates an export, which could allow unauthenticated attackers to download them and retrieve sensitive information such as IP, username, and email address The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.11due to insufficient protections on the '/uploads/cache/' directory. This makes it possible for unauthenticated attackers to extract sensitive data from user exports. • https://wpscan.com/vulnerability/346c855a-4d42-4a87-aac9-e5bfc2242b16 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2024-31936 – WordPress UsersWP plugin < 1.2.6 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-31936
Cross-Site Request Forgery (CSRF) vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a before 1.2.6. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en AyeCode Ltd UsersWP. Este problema afecta a UsersWP: desde n/a antes de 1.2.6. The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on an unknown function. • https://patchstack.com/database/vulnerability/userswp/wordpress-userswp-front-end-login-form-user-registration-user-profile-members-directory-plugin-for-wordpress-plugin-1-2-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-47442 – WordPress UsersWP Plugin <= 1.2.3.9 is vulnerable to CSV Injection
https://notcve.org/view.php?id=CVE-2022-47442
Improper Neutralization of Formula Elements in a CSV File vulnerability in AyeCode Ltd UsersWP.This issue affects UsersWP: from n/a through 1.2.3.9. Neutralización inadecuada de elementos de fórmula en una vulnerabilidad de CSV File en AyeCode Ltd UsersWP. Este problema afecta a UsersWP: desde n/a hasta 1.2.3.9. The UsersWP plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.2.3.9 via the process_users_export function. This allows administrator-level attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. • https://patchstack.com/database/vulnerability/userswp/wordpress-userswp-front-end-login-form-user-registration-user-profile-members-directory-plugin-for-wordpress-plugin-1-2-3-9-csv-injection?_s_id=cve • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVE-2022-0442 – UsersWP < 1.2.3.1 - Subscriber+ User Avatar Override
https://notcve.org/view.php?id=CVE-2022-0442
The UsersWP WordPress plugin before 1.2.3.1 is missing access controls when updating a user avatar, and does not make sure file names for user avatars are unique, allowing a logged in user to overwrite another users avatar. El plugin UsersWP de WordPress versiones anteriores a 1.2.3.1, no presenta controles de acceso cuando es actualizada el avatar de un usuario, y no es asegurado de que los nombres de los archivos de los avatares de los usuarios sean únicos, permitiendo a un usuario conectado sobrescribir el avatar de otro usuario • https://wpscan.com/vulnerability/9cf0822a-c9d6-4ebc-b905-95b143d1a692 • CWE-639: Authorization Bypass Through User-Controlled Key •