CVE-2024-1290 – Formidable Registration < 2.12 - Contributor+ Arbitrary User Password Reset To Account Takeover
https://notcve.org/view.php?id=CVE-2024-1290
The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts. El complemento User Registration de WordPress anterior a 2.12 no impide que los usuarios con al menos el rol de colaborador muestren códigos cortos confidenciales, lo que les permite generar y filtrar URL válidas para restablecer contraseñas, que pueden usar para hacerse cargo de cualquier cuenta. The WordPress User Registration Forms by Formidable Forms plugin for WordPress is vulnerable to arbitrary user password reset and account takeover in all versions up to, and including, 2.11. This is due to the plugin allowing users with access to the editor to utilize the frm-set-password-link shortcode and supply any user ID. This makes it possible for authenticated attackers, with contributor-level access and above, to reset the password of any user account and achieve account takeover • https://wpscan.com/vulnerability/a60187d4-9491-435a-bc36-8dd348a1ffa3 • CWE-862: Missing Authorization •
CVE-2023-5228 – User Registration < 3.0.4.2 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-5228
The User Registration WordPress plugin before 3.0.4.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). El complemento User Registration de WordPress anterior a 3.0.4.2 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios, como el administrador, realizar ataques de Cross-Site Scripting (XSS) Almacenado incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en una configuración multisitio). The User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/50ae7008-46f0-4f89-ae98-65dcabe4ef09 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-3342 – User Registration <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-3342
The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the 'ur_upload_profile_pic' function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1. El plugin User Registration para WordPress es vulnerable a la carga de archivos arbitrarios debido a una clave de cifrado codificada y a la falta de validación del tipo de archivo en la función "ur_upload_profile_pic" en las versiones hasta la 3.0.2 inclusive. Esto hace posible que atacantes autenticados con capacidades de nivel suscriptor o superior carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede posibilitar la ejecución remota de código. • http://packetstormsecurity.com/files/173434/WordPress-User-Registration-3.0.2-Arbitrary-File-Upload.html https://lana.codes/lanavdb/c0a58dff-7a5b-4cc0-82d6-2255e61d801c https://plugins.trac.wordpress.org/browser/user-registration/tags/3.0.1/includes/functions-ur-core.php#L3156 https://plugins.trac.wordpress.org/changeset/2933689/user-registration/trunk/includes/functions-ur-core.php https://www.wordfence.com/threat-intel/vulnerabilities/id/a979e885-f7dd-4616-a881-64f3d97c309d?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2023-3343 – User Registration <= 3.0.1 - Authenticated (Subscriber+) PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-3343
The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. El plugin User Registration para WordPress es vulnerable a la inyección de objetos PHP en versiones hasta la 3.0.1 inclusive a través de la deserialización de la entrada no fiable del parámetro "profile-pic-url". • https://plugins.trac.wordpress.org/browser/user-registration/tags/3.0.1/includes/functions-ur-core.php#L3156 https://plugins.trac.wordpress.org/changeset/2932199/user-registration/trunk/includes/functions-ur-core.php#file0 https://www.wordfence.com/threat-intel/vulnerabilities/id/3590277a-3319-4707-b728-d75ea59e8ad9?source=cve • CWE-502: Deserialization of Untrusted Data •
CVE-2023-29429 – User Registration <= 2.3.2.1 - Missing Authorization via send_test_email
https://notcve.org/view.php?id=CVE-2023-29429
The User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_test_email function in versions up to, and including, 2.3.2.1. This makes it possible for unauthenticated attackers to send a test email. • CWE-862: Missing Authorization •