CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 2CVE-2022-4681 – Hide My WP < 6.2.9 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-4681
11 Jan 2023 — The Hide My WP WordPress plugin before 6.2.9 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. The Hide My WP plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in versions up to, but not including, 6.2.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticate... • https://www.exploit-db.com/exploits/51871 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36917 – WordPress Hide My WP premium plugin <= 6.2.3 - Unauthenticated Plugin Deactivation vulnerability
https://notcve.org/view.php?id=CVE-2021-36917
24 Nov 2021 — WordPress Hide My WP plugin (versions <= 6.2.3) can be deactivated by any unauthenticated user. It is possible to retrieve a reset token which can then be used to deactivate the plugin. El plugin Hide My WP de WordPress (versiones anteriores a 6.2.3 incluyéndola) puede ser deshabilitado por cualquier usuario no autenticado. Es posible recuperar un token de restablecimiento que puede ser usado para deshabilitar el plugin • https://codecanyon.net/item/hide-my-wp-amazing-security-plugin-for-wordpress/4177158 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36916 – WordPress Hide My WP premium plugin <= 6.2.3 - Unauthenticated SQL injection (SQLi) vulnerability
https://notcve.org/view.php?id=CVE-2021-36916
24 Nov 2021 — The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as "X-Forwarded-For." As a result, the malicious payload supplied in one of these IP address headers will be directly inserted into the SQL query, making SQL injection possible. Una vulnerabilid... • https://codecanyon.net/item/hide-my-wp-amazing-security-plugin-for-wordpress/4177158 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •