CVE-2023-49168 – WordPress BP Better Messages Plugin <= 2.4.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-49168
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPlus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Coss-Site Scripting') en WordPlus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss permite Stored XSS. Este problema afecta a Better Messages – Live Chat for WordPress. BuddyPress, PeepSo, Ultimate Member, BuddyBoss: desde n/a hasta 2.4.0. The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-bp-better-messages-plugin-2-3-12-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-40216 – WordPress Better Messages plugin <= 1.9.10.69 - Auth. Messaging Block Bypass vulnerability
https://notcve.org/view.php?id=CVE-2022-40216
Auth. (subscriber+) Messaging Block Bypass vulnerability in Better Messages plugin <= 1.9.10.69 on WordPress. Vulnerabilidad de omisión de bloqueo de mensajería autenticada (con permisos de suscriptor o superiores) en el complemento Better Messages en versiones <= 1.9.10.69 en WordPress. The Better Messages plugin for WordPress is vulnerable to Authorization Bypass resulting in a block bypass on messaging controls in versions up to, and including, 1.9.10.68. This is due to insufficient or broken controls in the plugin. • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-69-messaging-block-bypass-vulnerability?_s_id=cve https://wordpress.org/plugins/bp-better-messages/#developers • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2022-41609 – WordPress Better Messages plugin <= 1.9.10.68 - Server-Side Request Forgery (SSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-41609
Auth. (subscriber+) Server-Side Request Forgery (SSRF) vulnerability in Better Messages plugin 1.9.10.68 on WordPress. Vulnerabilidad de Server-Side Request Forgery (SSRF) autenticada (con privilegios de suscriptor o superior) en el complemento Better Messages 1.9.10.68 en WordPress. The Better Messages plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to 1.9.10.68. This makes it possible for authenticated attackers, with subscriber-level privileges or higher, to interact with internal network hosts via specially crafted requests and can lead to sensitive information disclosure.. • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-68-server-side-request-forgery-ssrf-vulnerability?_s_id=cve https://wordpress.org/plugins/bp-better-messages/#developers • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-33142 – WordPress Better Messages plugin <= 1.9.10.57 - Denial Of Service (DoS) vulnerability
https://notcve.org/view.php?id=CVE-2022-33142
Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin <= 1.9.10.57 at WordPress. Una vulnerabilidad de Denegación de Servicio (DoS) autenticado (subscriber+) en el plugin WordPlus WordPress Better Messages versiones anteriores a 1.9.10.57 incluyéndola, en WordPress. The Better Messages plugin for WordPress is vulnerable to Resource Exhaustion in versions up to, and including, 1.9.10.57 due to not limiting the size of individual messages. This allows attackers, with subscriber-level access or higher, to exhaust resources on the target server potentially resulting in Denial of Service. • https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability https://wordpress.org/plugins/bp-better-messages/#developers • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve https://wpscan.com/vulnerability/6dae6dca-7474-4008-9fe5-4c62b9f12d0a https://freemius.com/blog/managing-security-issues-open-source-freemius-sdk-security-disclosure https://wpdirectory.net/search/01FWPVWA7BC5DYGZHNSZQ9QMN5 https://wpdirectory.net/search/01G02RSGMFS1TPT63FS16RWEYR https://web.archive.org/web/20220225174410/https%3A//www.pluginvulnerabilities.com/2022/02/25/our-security-review-of-wordpress-plugin-found-freemius-li • CWE-862: Missing Authorization •