The plugin contains an Auth Bypass vulnerability. To bypass authentication, we only need to know the admin’s username, which we can use to bypass authorization, then we can log in as any user from the user switch list.
WP User Switch by IqbalRony WordPress plugin Authentication Bypass
REPORT ID: 0cfdc5fa-d219-46bb-b8cc-693ac28a9e92
ReviewX by WPDeveloper WordPress plugin Privilege Escalation
REPORT ID: a889c3ff-5df0-4d7e-951f-0b0406468efa
The plugin contains an Arbitrary Usermeta Update vulnerability, which leads to Privilege Escalation.
BuddyPress Social Connect by VibeThemes WordPress plugin Authentication Bypass
REPORT ID: 1bd0dfd9-ffec-4d69-bc55-286751300cab
The plugin contains an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the website.
OTP Login/Signup Woocommerce by XootiX WordPress plugin Authentication Bypass
REPORT ID: 87b5e80e-fd5b-47c3-bf82-088bdf4573b5
The plugin contains an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s phone number. Depending on whose phone number we know, we may even be given an administrator role on the website.
WCFM – WooCommerce Multivendor Membership by WC Lovers WordPress plugin Privilege Escalation
REPORT ID: 3a841453-d083-4f97-a7f1-b398c7304284
The plugin contains an Unauthenticated Insecure Direct Object Reference (IDOR) to Arbitrary User Email Change vulnerability, witch leads to User Password Reset, which leads to Privilege Escalation. The plugin has an insecurely used variable allowing to change the user email, and gain unauthorized access.