Search criteria
3 vulnerabilities by akashmalik
CVE-2024-13316 (GCVE-0-2024-13316)
Vulnerability from cvelistv5 – Published: 2025-02-18 08:21 – Updated: 2025-02-18 14:34
VLAI?
Title
Scratch & Win – Giveaways and Contests <= 2.8.0 - Missing Authorization to Unauthenticated Coupon Creation
Summary
The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the apmswn_create_discount() function in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to create coupons.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| akashmalik | Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more |
Affected:
* , ≤ 2.8.0
(semver)
|
Credits
Peter Thaleikis
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13316",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T14:33:58.446288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T14:34:29.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Scratch \u0026 Win \u2013 Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more",
"vendor": "akashmalik",
"versions": [
{
"lessThanOrEqual": "2.8.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Scratch \u0026 Win \u2013 Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the apmswn_create_discount() function in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to create coupons."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T08:21:43.110Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95103830-9009-48df-ab15-476402b59e3f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/scratch-win-giveaways-for-website-facebook/tags/2.7.0/socialscratchwin.php#L492"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3239997%40scratch-win-giveaways-for-website-facebook\u0026new=3239997%40scratch-win-giveaways-for-website-facebook\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3212730%40scratch-win-giveaways-for-website-facebook\u0026new=3212730%40scratch-win-giveaways-for-website-facebook\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-17T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Scratch \u0026 Win \u2013 Giveaways and Contests \u003c= 2.8.0 - Missing Authorization to Unauthenticated Coupon Creation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13316",
"datePublished": "2025-02-18T08:21:43.110Z",
"dateReserved": "2025-01-09T22:05:47.683Z",
"dateUpdated": "2025-02-18T14:34:29.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12545 (GCVE-0-2024-12545)
Vulnerability from cvelistv5 – Published: 2025-01-04 07:24 – Updated: 2025-01-06 16:29
VLAI?
Title
Scratch & Win – Giveaways and Contests <= 2.7.1 - Cross-Site Request Forgery via reset_installation Function
Summary
The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.1. This is due to missing nonce validation on the reset_installation() function. This makes it possible for unauthenticated attackers to reset the plugin’s installation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
5.4 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| akashmalik | Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more |
Affected:
* , ≤ 2.7.1
(semver)
|
Credits
Peter Thaleikis
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12545",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T16:16:08.795612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T16:29:51.035Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Scratch \u0026 Win \u2013 Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more",
"vendor": "akashmalik",
"versions": [
{
"lessThanOrEqual": "2.7.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Scratch \u0026 Win \u2013 Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.1. This is due to missing nonce validation on the reset_installation() function. This makes it possible for unauthenticated attackers to reset the plugin\u2019s installation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-04T07:24:23.961Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cbc157b-4f1b-4212-9e5c-dd10dd443df7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/scratch-win-giveaways-for-website-facebook/tags/2.7.0/includes/swin-api.php"
},
{
"url": "https://wordpress.org/plugins/scratch-win-giveaways-for-website-facebook/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3212730/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-03T19:18:18.000+00:00",
"value": "Disclosed"
}
],
"title": "Scratch \u0026 Win \u2013 Giveaways and Contests \u003c= 2.7.1 - Cross-Site Request Forgery via reset_installation Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12545",
"datePublished": "2025-01-04T07:24:23.961Z",
"dateReserved": "2024-12-11T21:24:59.613Z",
"dateUpdated": "2025-01-06T16:29:51.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11898 (GCVE-0-2024-11898)
Vulnerability from cvelistv5 – Published: 2024-12-03 07:34 – Updated: 2024-12-03 11:23
VLAI?
Title
Scratch & Win – Giveaways and Contests <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swin-campaign' shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| akashmalik | Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more |
Affected:
* , ≤ 2.6.9
(semver)
|
Credits
Peter Thaleikis
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11898",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T11:21:05.054566Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T11:23:42.605Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Scratch \u0026 Win \u2013 Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more",
"vendor": "akashmalik",
"versions": [
{
"lessThanOrEqual": "2.6.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Scratch \u0026 Win \u2013 Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027swin-campaign\u0027 shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T07:34:58.010Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b7f3f0f-5f02-41d7-ac37-ecdde74fc532?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/scratch-win-giveaways-for-website-facebook/tags/2.6.9/socialscratchwin.php#L155"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3199234%40scratch-win-giveaways-for-website-facebook\u0026new=3199234%40scratch-win-giveaways-for-website-facebook\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-02T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Scratch \u0026 Win \u2013 Giveaways and Contests \u003c= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11898",
"datePublished": "2024-12-03T07:34:58.010Z",
"dateReserved": "2024-11-27T16:38:15.499Z",
"dateUpdated": "2024-12-03T11:23:42.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}