CVE-2024-10399 – Download Monitor <= 5.0.13 - Missing Authorization to Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2024-10399
The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up to, and including, 5.0.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain usernames and emails of site users. El complemento Download Monitor para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en la función ajax_search_users en todas las versiones hasta la 5.0.13 incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor o superior, obtengan nombres de usuario y correos electrónicos de los usuarios del sitio. • https://plugins.trac.wordpress.org/browser/download-monitor/tags/5.0.13/src/KeyGeneration/class-dlm-key-generation.php#L266 https://plugins.trac.wordpress.org/changeset/3178099/download-monitor/trunk/src/KeyGeneration/class-dlm-key-generation.php?contextall=1 https://www.wordfence.com/threat-intel/vulnerabilities/id/03b88862-012a-4dc6-9abb-99dc0d9408fd?source=cve • CWE-862: Missing Authorization •
CVE-2024-10092 – Download Monitor <= 5.0.12 - Missing Authorization to API Key Manipulation
https://notcve.org/view.php?id=CVE-2024-10092
The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones. • https://www.wordfence.com/threat-intel/vulnerabilities/id/f1e50d8c-e61c-4e94-b5e8-b24832dc24b6?source=cve https://plugins.trac.wordpress.org/browser/download-monitor/tags/5.0.12/src/KeyGeneration/class-dlm-key-generation.php#L299 https://plugins.trac.wordpress.org/changeset/3173614/download-monitor/trunk/src/KeyGeneration/class-dlm-key-generation.php • CWE-862: Missing Authorization •
CVE-2024-8552 – Download Monitor <= 5.0.9 - Missing Authorization to Authenticated (Subscriber+) Shop Enable
https://notcve.org/view.php?id=CVE-2024-8552
The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality. • https://plugins.trac.wordpress.org/browser/download-monitor/tags/5.0.8/src/AjaxHandler.php#L317 https://plugins.trac.wordpress.org/changeset/3157424/#file17 https://www.wordfence.com/threat-intel/vulnerabilities/id/3acaedff-f616-4b66-9208-f7e6a4df920d?source=cve • CWE-862: Missing Authorization •
CVE-2024-6571 – Optimize Images ALT Text (alt tag) & names for SEO using AI <= 3.1.1 - Unauthenticated Full Path Disclosure
https://notcve.org/view.php?id=CVE-2024-6571
The Optimize Images ALT Text (alt tag) & names for SEO using AI plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.1.1. This is due the plugin utilizing cocur and not preventing direct access to the generate-default.php file. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. El complemento Optimize Images ALT Text (alt tag) & names for SEO using AI para WordPress es vulnerable a la divulgación de ruta completa en todas las versiones hasta la 3.1.1 incluida. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3122915%40imageseo&new=3122915%40imageseo&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/a11083dd-7a5f-483b-a854-2697ddc54262?source=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-6491 – Strong Testimonials <= 3.1.12 - Authenticated(Contributor+) Improper Authorization to Views Modification
https://notcve.org/view.php?id=CVE-2023-6491
The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. This makes it possible for authenticated attackers, with contributor access and above, to modify favorite views. El complemento Strong Testimonials para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una verificación de capacidad incorrecta en la función wpmtst_save_view_sticky en todas las versiones hasta la 3.1.12 incluida. Esto hace posible que los atacantes autenticados, con acceso de colaborador y superior, modifiquen las vistas favoritas. • https://plugins.trac.wordpress.org/changeset/3097409/strong-testimonials/tags/3.1.13/admin/views.php https://www.wordfence.com/threat-intel/vulnerabilities/id/c3277d93-4f47-445b-a193-ff990b55d054?source=cve • CWE-284: Improper Access Control •