Archives: Reports
CVE ID:
CVE-2022-3154
WordPress Plugin
integration-for-billingo-gravity-forms
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-09-07
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the gf_billingo_pro_deactivate AJAX action, which makes it possible for attackers to deactivate the plugin’s license via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-3154
WordPress Plugin
integration-for-szamlazz-hu-gravity-forms
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-09-07
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the gf_szamlazz_pro_deactivate AJAX action, which makes it possible for attackers to deactivate the plugin’s license via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-41990
WordPress Plugin
cardoza-3d-tag-cloud
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Cross-Site Scripting (XSS)
Date:
2022-09-04
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check, and it’s also contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for attackers to inject arbitrary web scripts into pages via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-42884
WordPress Plugin
wip-custom-login
Vulnerability Type:
Missing Authorization
Date:
2022-09-01
The plugin contains a Missing Authorization vulnerability due to a missing capability check, which makes it possible for authenticated attackers with a role as low as subscriber to reset plugin settings.
CVE ID:
CVE-2022-3024
WordPress Plugin
simple-bitcoin-faucets
Vulnerability Type:
Cross-Site Scripting (XSS),
Missing Authorization
Date:
2022-08-27
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the SBF_DB_code_manage_action AJAX action, which makes it possible for authenticated attackers with a role as low as subscribers to add, edit or delete bonds. The plugin also contains a Cross-Site Scripting (XSS) vulnerability, due to the plugin does not sanitize and escape some parameters, which makes it possible to inject arbitrary web scripts.
CVE ID:
CVE-2022-3025
WordPress Plugin
bitcoin-faucet
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Cross-Site Scripting (XSS)
Date:
2022-08-27
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when saving the plugin settings, and it’s also contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for attackers to inject arbitrary web scripts into pages via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-3082
WordPress Plugin
miniorange-discord-integration
Vulnerability Type:
Missing Authorization
Date:
2022-08-26
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the mo_discord_disable_app AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to disable an app.
CVE ID:
CVE-2022-37412
WordPress Plugin
better-delete-revision
Vulnerability Type:
Cross-Site Scripting (XSS)
Date:
2022-08-26
The plugin contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for authenticated attackers with a role as low as administrator to inject arbitrary web scripts.
CVE ID:
CVE-2022-42461
WordPress Plugin
miniorange-2-factor-authentication
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-08-26
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check, which makes it possible for attackers to perform actions via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-2987
WordPress Plugin
ldap-wp-login-integration-with-active-directory
Vulnerability Type:
Authentication Bypass,
Missing Authorization
Date:
2022-08-24
The plugin contains an Auth Bypass vulnerability due to a missing capability check in the ldapConfig action, which makes it possible for unauthenticated attackers to update the LDAP server config, witch can be used to bypass authentication in the website.
CVE ID:
CVE-2022-3119
WordPress Plugin
oauth-client-for-user-authentication
Vulnerability Type:
Authentication Bypass,
Missing Authorization
Date:
2022-08-12
The plugin contains an Auth Bypass vulnerability due to a missing capability check in the oauthconfig action, which makes it possible for unauthenticated attackers to update the OAuth endpoints, which leads to authentication bypass. To bypass authentication, the attacker only needs to know the user’s email address. Depending on the obtained email address, the attacker may even get an administrator role on the client’s website.
CVE ID:
CVE-2022-36352
WordPress Plugin
profilegrid-user-profiles-groups-and-communities
Vulnerability Type:
Missing Authorization
Date:
2022-08-01
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the pm_messenger_show_messages and pm_messenger_send_new_message AJAX actions, which makes it possible for authenticated attackers with a role as low as subscriber to read and edit other user’s messages.
CVE ID:
CVE-2022-34858
WordPress Plugin
oauth-client
Vulnerability Type:
Authentication Bypass
Date:
2022-06-13
The plugin contains an Auth Bypass vulnerability. To bypass authentication, the attacker only needs to know the user’s email address. Depending on the obtained email address, the attacker may even get an administrator role on the client’s website.
CVE ID:
CVE-2022-2133
WordPress Plugin
miniorange-login-with-eve-online-google-facebook
Vulnerability Type:
Authentication Bypass
Date:
2022-06-12
The plugin contains an Auth Bypass vulnerability. To bypass authentication, the attacker only needs to know the user’s email address. Depending on the obtained email address, the attacker may even get an administrator role on the client’s website.
CVE ID:
CVE-2022-34149
WordPress Plugin
miniorange-oauth-20-server
Vulnerability Type:
Authentication Bypass
Date:
2022-06-12
The plugin contains an Auth Bypass vulnerability. To bypass authentication, the attacker only needs to know user’s username. Depending on the username, which can be easily queried because it is usually public data, the attacker may even get an administrator role on the client’s website.
CVE ID:
CVE-2022-2083
WordPress Plugin
single-sign-on-client
Vulnerability Type:
Authentication Bypass
Date:
2022-06-01
The plugin contains an Auth Bypass vulnerability due to the plugin leaks its OAuth client_secret, that can be used to authenticate to the client’s website. Depending on the OAuth server settings, the attacker may even get an administrator role on the client’s website.