CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54323 – WordPress New User Approve plugin <= 2.6.2 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-54323
11 Dec 2024 — Missing Authorization vulnerability in WPExpertsio New User Approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through 2.6.2. The New User Approve plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the _admin_notices_hook function in versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with contributor-level access and above, to read notices inte... • https://patchstack.com/database/wordpress/plugin/new-user-approve/vulnerability/wordpress-new-user-approve-plugin-2-6-2-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50902 – WordPress New User Approve Plugin <= 2.5.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-50902
26 Dec 2023 — Cross-Site Request Forgery (CSRF) vulnerability in WPExpertsio New User Approve.This issue affects New User Approve: from n/a through 2.5.1. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en WPExpertsio New User Approve. Este problema afecta a New User Approve: desde n/a hasta 2.5.1. The New User Approve plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the admin_notices function. • https://patchstack.com/database/vulnerability/new-user-approve/wordpress-new-user-approve-plugin-2-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1625 – New User Approve < 2.4 - Arbitrary Settings Update & Invitation Code Creation via CSRF
https://notcve.org/view.php?id=CVE-2022-1625
01 Jun 2022 — The New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes (for bypassing the provided restrictions) and to change plugin settings by tricking admin users into visiting specially crafted websites. El plugin New User Approve de WordPress versiones anteriores a 2.4, no presenta una comprobación de tipo CSRF cuando actualiza sus ajustes y añade códigos de invitación, lo que podría... • https://wpscan.com/vulnerability/e1693318-900c-47f1-bb77-008b0d33327f • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 425EXPL: 0CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
04 Mar 2022 — The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve • CWE-862: Missing Authorization •