CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-7204 – WP STAGING WordPress Backup Plugin < 3.2.0 - Unauthorized Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2023-7204
The WP STAGING WordPress Backup plugin before 3.2.0 allows access to cache files during the cloning process which provides El complemento WP STAGING WordPress Backup anterior a 3.2.0 permite el acceso a archivos de caché durante el proceso de clonación, lo que proporciona The WP STAGING WordPress Backup Plugin – Migration Backup Restore plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions before 3.2.0 via the cache files. This makes it possible for unauthenticated attackers to extract sensitive data. • https://wpscan.com/vulnerability/65a8cf83-d6cc-4d4c-a482-288a83a69879 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2023-6113 – WP Staging (Free < 3.1.3, Pro < 5.1.3) - Unauthenticated Backup Download
https://notcve.org/view.php?id=CVE-2023-6113
The WP STAGING WordPress Backup Plugin before 3.1.3 and WP STAGING Pro WordPress Backup Plugin before 5.1.3 do not prevent visitors from leaking key information about ongoing backups processes, allowing unauthenticated attackers to download said backups later. WP STAGING WordPress Backup Plugin anterior a 3.1.3 y WP STAGING Pro WordPress Backup Plugin anterior a 5.1.3 no impiden que los visitantes filtren información clave sobre los procesos de copia de seguridad en curso, lo que permite a atacantes no autenticados descargar dichas copias de seguridad más tarde. The WP STAGING WordPress Backup Plugin Free and Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in various versions via the jobCache_backup_job file. This makes it possible for unauthenticated attackers to extract sensitive data such as the key which enables them to download the backups later. • https://research.cleantalk.org/cve-2023-6113-wp-staging-unauth-sensitive-data-exposure-to-account-takeover-poc-exploit https://wpscan.com/vulnerability/5a71049a-09a6-40ab-a4e8-44634869d4fb • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2737 – WP STAGING < 2.9.18 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2737
The WP STAGING WordPress plugin before 2.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) El plugin WP STAGING de WordPress versiones anteriores a 2.9.18, no sanea y escapa de algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios, como los administradores, llevar a cabo ataques de tipo Cross-Site Scripting Almacenado incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en una configuración multisitio) The WP STAGING plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.9.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/91bbdeb0-f2df-4500-b856-af0ff68fbb12 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •