CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47836 – WordPress WP Meta and Date Remover plugin <= 2.3.0 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-47836
16 Nov 2023 — Missing Authorization vulnerability in Prasad Kirpekar WP Meta and Date Remover allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Meta and Date Remover: from n/a through 2.3.0. The WP Meta and Date Remover plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.0. This is due to missing or incorrect nonce validation on the updateSettings function. This makes it possible for unauthenticated attackers to change the ... • https://patchstack.com/database/wordpress/plugin/wp-meta-and-date-remover/vulnerability/wordpress-wp-meta-and-date-remover-plugin-2-2-1-broken-access-control-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4823 – WP Meta and Date Remover < 2.2.0 - Subscriber+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-4823
31 Oct 2023 — The WP Meta and Date Remover WordPress plugin before 2.2.0 provides an AJAX endpoint for configuring the plugin settings. This endpoint has no capability checks and does not sanitize the user input, which is then later output unescaped. Allowing any authenticated users, such as subscriber change them and perform Stored Cross-Site Scripting. El complemento WP Meta and Date Remover de WordPress anterior a 2.2.0 proporciona un endpoint AJAX para configurar los ajustes del complemento. Este endpoint no tiene co... • https://wpscan.com/vulnerability/84f53e27-d8d2-4fa3-91f9-447037508d30 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 425EXPL: 0CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
04 Mar 2022 — The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve • CWE-862: Missing Authorization •