CVE-2023-50902 – WordPress New User Approve Plugin <= 2.5.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-50902
Cross-Site Request Forgery (CSRF) vulnerability in WPExpertsio New User Approve.This issue affects New User Approve: from n/a through 2.5.1. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en WPExpertsio New User Approve. Este problema afecta a New User Approve: desde n/a hasta 2.5.1. The New User Approve plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the admin_notices function. • https://patchstack.com/database/vulnerability/new-user-approve/wordpress-new-user-approve-plugin-2-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-1625 – New User Approve < 2.4 - Arbitrary Settings Update & Invitation Code Creation via CSRF
https://notcve.org/view.php?id=CVE-2022-1625
The New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes (for bypassing the provided restrictions) and to change plugin settings by tricking admin users into visiting specially crafted websites. El plugin New User Approve de WordPress versiones anteriores a 2.4, no presenta una comprobación de tipo CSRF cuando actualiza sus ajustes y añade códigos de invitación, lo que podría permitir a atacantes añadir códigos de invitación (para omitir las restricciones establecidas) y cambiar los ajustes del plugin al engañar a usuarios administradores para que visiten sitios web especialmente diseñados The New User Approve WordPress plugin before 2.4.1 does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes (for bypassing the provided restrictions) and to change plugin settings by tricking admin users into visiting specially crafted websites. • https://wpscan.com/vulnerability/e1693318-900c-47f1-bb77-008b0d33327f • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve https://wpscan.com/vulnerability/6dae6dca-7474-4008-9fe5-4c62b9f12d0a https://freemius.com/blog/managing-security-issues-open-source-freemius-sdk-security-disclosure https://wpdirectory.net/search/01FWPVWA7BC5DYGZHNSZQ9QMN5 https://wpdirectory.net/search/01G02RSGMFS1TPT63FS16RWEYR https://web.archive.org/web/20220225174410/https%3A//www.pluginvulnerabilities.com/2022/02/25/our-security-review-of-wordpress-plugin-found-freemius-li • CWE-862: Missing Authorization •