CVE-2021-36908 – WordPress WP Reset PRO Premium Plugin <= 5.98 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2021-36908
Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) conllevando a un restablecimiento de la base de datos en el plugin WP Reset PRO Premium de WordPress (versiones anteriores a 5.98 incluyéndola) permite a atacantes engañar a los autenticados para que realicen un restablecimiento involuntario de la base de datos. Cross-Site Request Forgery (CSRF) vulnerability leading to Database Reset in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows attackers to trick authenticated into making unintentional database reset. • https://patchstack.com/database/vulnerability/wp-reset/wordpress-wp-reset-pro-premium-plugin-5-98-cross-site-request-forgery-csrf-vulnerability-leading-to-database-reset?_s_id=cve https://patchstack.com/wp-reset-pro-critical-vulnerability-fixed • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-36909 – WordPress WP Reset PRO Premium plugin <= 5.98 - Authenticated Database Reset vulnerability
https://notcve.org/view.php?id=CVE-2021-36909
Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows any authenticated user to wipe the entire database regardless of their authorization. It leads to a complete website reset and takeover. Una vulnerabilidad de restablecimiento de la base de datos autenticada en el plugin WP Reset PRO Premium de WordPress (versiones anteriores a 5.98 incluyéndola) permite a cualquier usuario autenticado borrar toda la base de datos independientemente de su autorización. Conlleva a un restablecimiento completo del sitio web y a la toma de posesión. • https://patchstack.com/database/vulnerability/wp-reset/wordpress-wp-reset-pro-premium-plugin-5-98-authenticated-database-reset-vulnerability https://patchstack.com/wp-reset-pro-critical-vulnerability-fixed https://wpreset.com/changelog • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVE-2021-24424 – WP Reset < 1.90 - Authenticated Stored XSS
https://notcve.org/view.php?id=CVE-2021-24424
The WP Reset – Most Advanced WordPress Reset Tool WordPress plugin before 1.90 did not sanitise or escape its extra_data parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue El plugin de WordPress WP Reset - Most Advanced WordPress Reset Tool versiones anteriores a 1.90, no saneaba o escapaba de su parámetro extra_data cuando se crea una instantánea por medio del panel de administración, conllevando a un problema de tipo Cross-Site Scripting Almacenado autenticado • https://m0ze.ru/vulnerability/%5B2021-05-26%5D-%5BWordPress%5D-%5BCWE-79%5D-WP-Reset-WordPress-Plugin-v1.86.txt https://wpscan.com/vulnerability/90cf8f9d-4d37-405d-b161-239bdb281828 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-7047 – WP Database Reset <= 3.1 - Privilege Escalation
https://notcve.org/view.php?id=CVE-2020-7047
The WordPress plugin, WP Database Reset through 3.1, contains a flaw that gave any authenticated user, with minimal permissions, the ability (with a simple wp-admin/admin.php?db-reset-tables[]=users request) to escalate their privileges to administrator while dropping all other users from the table. El plugin de WordPress, WP Database Reset versiones hasta 3.1, contiene un fallo que otorgó a cualquier usuario autenticado, con permisos mínimos, la capacidad (con una petición simple wp-admin/admin.php?db-reset-tables[]=users) para escalar sus privilegios a administrador mientras elimina a todos los otros usuarios de la tabla. • https://wordpress.org/plugins/wordpress-database-reset/#developers https://wpvulndb.com/vulnerabilities/10028 https://www.wordfence.com/blog/2020/01/easily-exploitable-vulnerabilities-patched-in-wp-database-reset-plugin • CWE-269: Improper Privilege Management •
CVE-2020-7048 – WP Database Reset <= 3.1 - Unauthenticated Database Reset
https://notcve.org/view.php?id=CVE-2020-7048
The WordPress plugin, WP Database Reset through 3.1, contains a flaw that allowed any unauthenticated user to reset any table in the database to the initial WordPress set-up state (deleting all site content stored in that table), as demonstrated by a wp-admin/admin-post.php?db-reset-tables[]=comments URI. El plugin de WordPress, WP Database Reset versiones hasta 3.1, contiene un fallo que permitió a cualquier usuario no autenticado restablecer cualquier tabla de la base de datos al estado inicial de configuración de WordPress (eliminando todo el contenido del sitio almacenado en esta tabla), como es demostrado por un URI wp-admin/admin-post.php?db-reset-tables[]=comments. • https://github.com/ElmouradiAmine/CVE-2020-7048 https://wordpress.org/plugins/wordpress-database-reset/#developers https://wpvulndb.com/vulnerabilities/10027 https://www.wordfence.com/blog/2020/01/easily-exploitable-vulnerabilities-patched-in-wp-database-reset-plugin • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •