Search criteria
31 vulnerabilities by cyberlord92
CVE-2025-12822 (GCVE-0-2025-12822)
Vulnerability from cvelistv5 – Published: 2025-11-19 05:45 – Updated: 2025-11-19 18:43
VLAI?
Title
WP Login and Register using JWT <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure
Summary
The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mo_jwt_generate_new_api_key' function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate a new API key on site's that do not have an API key configured and subsequently use that to access restricted endpoints.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | WP Login and Register using JWT |
Affected:
* , ≤ 3.0.0
(semver)
|
Credits
Athiwat Tiprasaharn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12822",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T18:43:07.788647Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T18:43:17.593Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Login and Register using JWT",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "3.0.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Login and Register using JWT plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027mo_jwt_generate_new_api_key\u0027 function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate a new API key on site\u0027s that do not have an API key configured and subsequently use that to access restricted endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T05:45:15.251Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/966523a4-3d4b-444b-b9d0-63c72527a99f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3397900%40login-register-using-jwt\u0026new=3397900%40login-register-using-jwt\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-06T19:00:51.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-18T17:17:49.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Login and Register using JWT \u003c= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) API Key Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12822",
"datePublished": "2025-11-19T05:45:15.251Z",
"dateReserved": "2025-11-06T18:44:15.837Z",
"dateUpdated": "2025-11-19T18:43:17.593Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11255 (GCVE-0-2025-11255)
Vulnerability from cvelistv5 – Published: 2025-10-25 06:49 – Updated: 2025-10-27 15:52
VLAI?
Title
Password Policy Manager | Password Manager <= 2.0.5 - Missing Authorization to Authenticated (Subscriber+) Configuration Log Out
Summary
The Password Policy Manager | Password Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'moppm_ajax' AJAX endpoint in all versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log out the site's connection to miniorange.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Password Policy Manager | Password Manager |
Affected:
* , ≤ 2.0.5
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T15:52:15.899267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T15:52:24.137Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Password Policy Manager | Password Manager",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Password Policy Manager | Password Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027moppm_ajax\u0027 AJAX endpoint in all versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log out the site\u0027s connection to miniorange."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-25T06:49:22.427Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66ac51f9-3571-4e07-a110-afec43abab37?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3381127%40password-policy-manager\u0026new=3381127%40password-policy-manager\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-24T18:09:09.000+00:00",
"value": "Disclosed"
}
],
"title": "Password Policy Manager | Password Manager \u003c= 2.0.5 - Missing Authorization to Authenticated (Subscriber+) Configuration Log Out"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11255",
"datePublished": "2025-10-25T06:49:22.427Z",
"dateReserved": "2025-10-03T12:01:49.445Z",
"dateUpdated": "2025-10-27T15:52:24.137Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10750 (GCVE-0-2025-10750)
Vulnerability from cvelistv5 – Published: 2025-10-18 07:26 – Updated: 2025-10-20 17:37
VLAI?
Title
PowerBI Embed Reports <= 1.2.0 - Unauthenticated Sensitive Information Disclosure
Summary
The PowerBI Embed Reports plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.2.0. This is due to missing capability checks and authentication verification on the 'testUser' endpoint accessible via the mo_epbr_admin_observer() function hooked on 'init'. This makes it possible for unauthenticated attackers to access sensitive Azure AD user information including personal identifiable information (PII) such as displayName, mail, phones, department, or detailed OAuth error data including Azure AD Application/Client IDs, error codes, trace IDs, and correlation IDs.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | PowerBI Embed Reports |
Affected:
* , ≤ 1.2.0
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10750",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T17:36:21.330234Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T17:37:10.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerBI Embed Reports",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PowerBI Embed Reports plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.2.0. This is due to missing capability checks and authentication verification on the \u0027testUser\u0027 endpoint accessible via the mo_epbr_admin_observer() function hooked on \u0027init\u0027. This makes it possible for unauthenticated attackers to access sensitive Azure AD user information including personal identifiable information (PII) such as displayName, mail, phones, department, or detailed OAuth error data including Azure AD Application/Client IDs, error codes, trace IDs, and correlation IDs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-18T07:26:32.267Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d830c2eb-16e8-425c-ac46-a467a2fd0133?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/embed-power-bi-reports/tags/1.2.0/embed-microsoft-power-bi-reports.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/browser/embed-power-bi-reports/tags/1.2.0/Observer/adminObserver.php#L54"
},
{
"url": "https://plugins.trac.wordpress.org/browser/embed-power-bi-reports/tags/1.2.0/Observer/adminObserver.php#L265"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3369956%40embed-power-bi-reports\u0026new=3369956%40embed-power-bi-reports\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-17T19:06:40.000+00:00",
"value": "Disclosed"
}
],
"title": "PowerBI Embed Reports \u003c= 1.2.0 - Unauthenticated Sensitive Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10750",
"datePublished": "2025-10-18T07:26:32.267Z",
"dateReserved": "2025-09-19T20:28:14.943Z",
"dateUpdated": "2025-10-20T17:37:10.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10648 (GCVE-0-2025-10648)
Vulnerability from cvelistv5 – Published: 2025-10-15 08:25 – Updated: 2025-10-15 15:25
VLAI?
Title
Login with YourMembership - YM SSO Login <= 1.1.7 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'moym_display_test_attributes'
Summary
The YourMembership Single Sign On – YM SSO Login plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'moym_display_test_attributes' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to read the profile data of the latest SSO login.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | YourMembership Single Sign On – YM SSO Login |
Affected:
* , ≤ 1.1.7
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10648",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-15T15:13:11.438570Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T15:25:33.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "YourMembership Single Sign On \u2013 YM SSO Login",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "1.1.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YourMembership Single Sign On \u2013 YM SSO Login plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027moym_display_test_attributes\u0027 function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to read the profile data of the latest SSO login."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-15T08:25:50.573Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1bb25412-8f63-4a9d-84bd-44fac59c6eed?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/login-with-yourmembership/trunk/class-moym-sso.php#L88"
},
{
"url": "https://plugins.trac.wordpress.org/browser/login-with-yourmembership/trunk/class-moym-sso.php#L112"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-14T19:58:07.000+00:00",
"value": "Disclosed"
}
],
"title": "Login with YourMembership - YM SSO Login \u003c= 1.1.7 - Missing Authorization to Unauthenticated Sensitive Information Exposure via \u0027moym_display_test_attributes\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10648",
"datePublished": "2025-10-15T08:25:50.573Z",
"dateReserved": "2025-09-17T18:07:31.865Z",
"dateUpdated": "2025-10-15T15:25:33.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9485 (GCVE-0-2025-9485)
Vulnerability from cvelistv5 – Published: 2025-10-04 02:24 – Updated: 2025-10-06 14:16
VLAI?
Title
OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Authentication Bypass via get_resource_owner_from_id_token()
Summary
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.
Severity ?
9.8 (Critical)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | OAuth Single Sign On – SSO (OAuth Client) |
Affected:
* , ≤ 6.26.12
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T14:14:07.678306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T14:16:32.877Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OAuth Single Sign On \u2013 SSO (OAuth Client)",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "6.26.12",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OAuth Single Sign On \u2013 SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T02:24:37.169Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2448afc-70d1-4dd5-b73b-62d182ee9a8a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L577"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3360768/miniorange-login-with-eve-online-google-facebook"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-15T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-10-03T14:11:31.000+00:00",
"value": "Disclosed"
}
],
"title": "OAuth Single Sign On \u2013 SSO (OAuth Client) \u003c= 6.26.12 - Authentication Bypass via get_resource_owner_from_id_token()"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9485",
"datePublished": "2025-10-04T02:24:37.169Z",
"dateReserved": "2025-08-26T08:59:36.029Z",
"dateUpdated": "2025-10-06T14:16:32.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10746 (GCVE-0-2025-10746)
Vulnerability from cvelistv5 – Published: 2025-10-04 02:24 – Updated: 2025-10-06 14:16
VLAI?
Title
Integrate Dynamics 365 CRM <= 1.0.9 - Missing Authorization
Summary
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.9. This is due to missing capability checks and nonce verification on functions hooked to 'init'. This makes it possible for unauthenticated attackers to deactivate the plugin, tamper with OAuth configuration, and trigger test connections that expose sensitive data via direct request to vulnerable endpoints granted they can craft malicious requests with specific parameters.
Severity ?
6.5 (Medium)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Integrate Dynamics 365 CRM |
Affected:
* , ≤ 1.0.9
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T14:14:34.144280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T14:16:41.038Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Integrate Dynamics 365 CRM",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "1.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.9. This is due to missing capability checks and nonce verification on functions hooked to \u0027init\u0027. This makes it possible for unauthenticated attackers to deactivate the plugin, tamper with OAuth configuration, and trigger test connections that expose sensitive data via direct request to vulnerable endpoints granted they can craft malicious requests with specific parameters."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-04T02:24:36.757Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b7fb23e8-dabb-4d6e-a2b2-2b27d6a38b3c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/tags/1.0.9/Observer/adminObserver.php#L26"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/tags/1.0.9/integrate-dynamics-365-crm.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/trunk/Observer/class-adminobserver.php?rev=3370266#L71"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-03T14:18:24.000+00:00",
"value": "Disclosed"
}
],
"title": "Integrate Dynamics 365 CRM \u003c= 1.0.9 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10746",
"datePublished": "2025-10-04T02:24:36.757Z",
"dateReserved": "2025-09-19T19:39:41.942Z",
"dateUpdated": "2025-10-06T14:16:41.038Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10752 (GCVE-0-2025-10752)
Vulnerability from cvelistv5 – Published: 2025-09-26 01:47 – Updated: 2025-09-26 19:24
VLAI?
Title
OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Cross-Site Request Forgery
Summary
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter (base64 encoded app name) without any randomness in the OAuth flow. This makes it possible for unauthenticated attackers to forge OAuth authorization requests and potentially hijack the OAuth flow via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | OAuth Single Sign On – SSO (OAuth Client) |
Affected:
* , ≤ 6.26.12
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10752",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T19:24:31.437473Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T19:24:44.021Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OAuth Single Sign On \u2013 SSO (OAuth Client)",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "6.26.12",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OAuth Single Sign On \u2013 SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter (base64 encoded app name) without any randomness in the OAuth flow. This makes it possible for unauthenticated attackers to forge OAuth authorization requests and potentially hijack the OAuth flow via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T01:47:27.527Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e8d7e8f3-e8ff-460f-a343-807bcdb865dc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L285"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3360768%40miniorange-login-with-eve-online-google-facebook\u0026new=3360768%40miniorange-login-with-eve-online-google-facebook\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-25T13:34:18.000+00:00",
"value": "Disclosed"
}
],
"title": "OAuth Single Sign On \u2013 SSO (OAuth Client) \u003c= 6.26.12 - Cross-Site Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10752",
"datePublished": "2025-09-26T01:47:27.527Z",
"dateReserved": "2025-09-19T20:37:57.485Z",
"dateUpdated": "2025-09-26T19:24:44.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-7665 (GCVE-0-2025-7665)
Vulnerability from cvelistv5 – Published: 2025-09-19 12:27 – Updated: 2025-09-19 13:05
VLAI?
Title
Miniorange OTP Verification with Firebase 3.1.0 - 3.6.2 - Unauthenticated Privilege Escalation
Summary
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'handle_mofirebase_form_options' function in versions 3.1.0 to 3.6.2. This makes it possible for unauthenticated attackers to update the default role to Administrator. Premium features must be enabled in order to exploit the vulnerability.
Severity ?
8.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Miniorange OTP Verification with Firebase |
Affected:
3.1.0 , ≤ 3.6.2
(semver)
|
Credits
Kenneth Dunn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7665",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-19T13:04:59.600598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T13:05:05.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Miniorange OTP Verification with Firebase",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "3.6.2",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kenneth Dunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the \u0027handle_mofirebase_form_options\u0027 function in versions 3.1.0 to 3.6.2. This makes it possible for unauthenticated attackers to update the default role to Administrator. Premium features must be enabled in order to exploit the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-19T12:27:36.481Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a9a02910-5674-4266-ab6e-7926bf6adecc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/trunk/handler/forms/class-registrationform.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-19T00:13:56.000+00:00",
"value": "Disclosed"
}
],
"title": "Miniorange OTP Verification with Firebase 3.1.0 - 3.6.2 - Unauthenticated Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-7665",
"datePublished": "2025-09-19T12:27:36.481Z",
"dateReserved": "2025-07-14T21:34:58.243Z",
"dateUpdated": "2025-09-19T13:05:05.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-9891 (GCVE-0-2025-9891)
Vulnerability from cvelistv5 – Published: 2025-09-17 01:53 – Updated: 2025-09-17 13:09
VLAI?
Title
User Sync – Remote User Sync <= 1.0.2 - Cross-Site Request Forgery to Plugin Deactivation
Summary
The User Sync – Remote User Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the mo_user_sync_form_handler() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | User Sync |
Affected:
* , ≤ 1.0.2
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-17T13:09:20.554042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T13:09:26.021Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "User Sync",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The User Sync \u2013 Remote User Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the mo_user_sync_form_handler() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-17T01:53:14.331Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b60777e-6e07-42bd-9364-43367e209227?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/user-sync/tags/1.0.1/mo-user-sync-main.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3360328%40user-sync\u0026new=3360328%40user-sync\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-16T13:49:44.000+00:00",
"value": "Disclosed"
}
],
"title": "User Sync \u2013 Remote User Sync \u003c= 1.0.2 - Cross-Site Request Forgery to Plugin Deactivation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9891",
"datePublished": "2025-09-17T01:53:14.331Z",
"dateReserved": "2025-09-02T22:59:56.638Z",
"dateUpdated": "2025-09-17T13:09:26.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-6003 (GCVE-0-2025-6003)
Vulnerability from cvelistv5 – Published: 2025-06-12 08:22 – Updated: 2025-06-12 13:55
VLAI?
Title
WordPress Single Sign-On (SSO) - Multiple Versions - Incorrect Authorization to Sensitive Information Exposure
Summary
The WordPress Single Sign-On (SSO) plugin for WordPress is vulnerable to unauthorized access due to a misconfigured capability check on a function in all versions up to, and including, the *.5.3 versions of the plugin. This makes it possible for unauthenticated attackers to extract sensitive data including site content that has been restricted to certain users and/or roles.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| cyberlord92 | WordPress Single Sign-On (SSO) - Single Site Standard |
Affected:
* , ≤ 18.5.3
(semver)
|
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
Credits
Israël Hallé
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6003",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-12T13:55:23.738209Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T13:55:38.251Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress Single Sign-On (SSO) - Single Site Standard",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "18.5.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WordPress Single Sign-On (SSO) - Single Site Premium",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "28.5.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WordPress Single Sign-On (SSO) - Multisite Premium",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "30.5.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WordPress Single Sign-On (SSO) - Single Site Enterprise",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "38.5.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WordPress Single Sign-On (SSO) - Multisite Enterprise",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "40.5.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WordPress Single Sign-On (SSO) - Single Site All-Inclusive",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "48.5.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WordPress Single Sign-On (SSO) - Multisite All-Inclusive",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "50.5.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Isra\u00ebl Hall\u00e9"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WordPress Single Sign-On (SSO) plugin for WordPress is vulnerable to unauthorized access due to a misconfigured capability check on a function in all versions up to, and including, the *.5.3 versions of the plugin. This makes it possible for unauthenticated attackers to extract sensitive data including site content that has been restricted to certain users and/or roles."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T08:22:43.767Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51aa5531-e5b3-4c47-8d06-58eac6dd92fb?source=cve"
},
{
"url": "https://plugins.miniorange.com/wordpress-sso"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-13T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-06-11T19:22:27.000+00:00",
"value": "Disclosed"
}
],
"title": "WordPress Single Sign-On (SSO) - Multiple Versions - Incorrect Authorization to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-6003",
"datePublished": "2025-06-12T08:22:43.767Z",
"dateReserved": "2025-06-11T17:58:46.446Z",
"dateUpdated": "2025-06-12T13:55:38.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11087 (GCVE-0-2024-11087)
Vulnerability from cvelistv5 – Published: 2025-03-08 07:04 – Updated: 2025-03-11 16:08
VLAI?
Title
miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon <= 200.3.9 - Authentication Bypass
Summary
The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 200.3.9. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.
Severity ?
8.1 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon |
Affected:
* , ≤ 200.3.9
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T16:59:55.579223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T16:08:20.531Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "200.3.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 200.3.9. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-08T07:04:55.340Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f677b257-606a-45f2-ba85-3a56b8df2a3c?source=cve"
},
{
"url": "https://www.miniorange.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-07T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon \u003c= 200.3.9 - Authentication Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11087",
"datePublished": "2025-03-08T07:04:55.340Z",
"dateReserved": "2024-11-11T19:15:13.435Z",
"dateUpdated": "2025-03-11T16:08:20.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46082 (GCVE-0-2023-46082)
Vulnerability from cvelistv5 – Published: 2025-01-02 11:59 – Updated: 2025-01-03 19:09
VLAI?
Title
WordPress Broken Link Checker | Finder plugin <= 2.4.2 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Cyberlord92 Broken Link Checker | Finder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broken Link Checker | Finder: from n/a through 2.4.2.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Cyberlord92 | Broken Link Checker | Finder |
Affected:
n/a , ≤ 2.4.2
(custom)
|
Credits
Abdi Pranata (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T17:41:23.429084Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T19:09:50.141Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "broken-link-finder",
"product": "Broken Link Checker | Finder",
"vendor": "Cyberlord92",
"versions": [
{
"changes": [
{
"at": "2.5.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.4.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abdi Pranata (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in Cyberlord92 Broken Link Checker | Finder allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects Broken Link Checker | Finder: from n/a through 2.4.2.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Cyberlord92 Broken Link Checker | Finder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broken Link Checker | Finder: from n/a through 2.4.2."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T11:59:58.339Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/broken-link-finder/vulnerability/wordpress-broken-link-checker-finder-plugin-2-4-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Broken Link Checker | Finder plugin to the latest available version (at least 2.5.0)."
}
],
"value": "Update the WordPress Broken Link Checker | Finder plugin to the latest available version (at least 2.5.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Broken Link Checker | Finder plugin \u003c= 2.4.2 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-46082",
"datePublished": "2025-01-02T11:59:58.339Z",
"dateReserved": "2023-10-16T11:02:30.484Z",
"dateUpdated": "2025-01-03T19:09:50.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11297 (GCVE-0-2024-11297)
Vulnerability from cvelistv5 – Published: 2024-12-20 06:59 – Updated: 2024-12-20 15:57
VLAI?
Title
Page Restriction WordPress (WP) – Protect WP Pages/Post <= 1.3.6 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Summary
The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.6 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Page Restriction WordPress (WP) – Protect WP Pages/Post |
Affected:
* , ≤ 1.3.6
(semver)
|
Credits
Francesco Carlucci
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11297",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T15:52:09.861630Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203 Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T15:57:37.358Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Page Restriction WordPress (WP) \u2013 Protect WP Pages/Post",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "1.3.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Page Restriction WordPress (WP) \u2013 Protect WP Pages/Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.6 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T06:59:07.444Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d12ab8c-d5d0-4e02-986e-e894fae073e5?source=cve"
},
{
"url": "https://wordpress.org/plugins/page-and-post-restriction/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-19T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Page Restriction WordPress (WP) \u2013 Protect WP Pages/Post \u003c= 1.3.6 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11297",
"datePublished": "2024-12-20T06:59:07.444Z",
"dateReserved": "2024-11-16T00:54:57.625Z",
"dateUpdated": "2024-12-20T15:57:37.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12121 (GCVE-0-2024-12121)
Vulnerability from cvelistv5 – Published: 2024-12-19 01:45 – Updated: 2024-12-20 17:41
VLAI?
Title
Broken Link Checker | Finder <= 2.5.0 - Authenticated (Author+) Blind Server-Side Request Forgery
Summary
The Broken Link Checker | Finder plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the 'moblc_check_link' function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity ?
5.4 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Broken Link Checker | Finder |
Affected:
* , ≤ 2.5.0
(semver)
|
Credits
Francesco Carlucci
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T16:45:12.169560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T17:41:32.059Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Broken Link Checker | Finder",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Broken Link Checker | Finder plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the \u0027moblc_check_link\u0027 function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-19T01:45:14.611Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa52034e-3d11-4be5-ab8b-8f7256be2a3e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3207590/broken-link-finder"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-11T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-12-18T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Broken Link Checker | Finder \u003c= 2.5.0 - Authenticated (Author+) Blind Server-Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12121",
"datePublished": "2024-12-19T01:45:14.611Z",
"dateReserved": "2024-12-03T22:16:00.537Z",
"dateUpdated": "2024-12-20T17:41:32.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10111 (GCVE-0-2024-10111)
Vulnerability from cvelistv5 – Published: 2024-12-12 03:23 – Updated: 2024-12-12 15:55
VLAI?
Title
OAuth Single Sign On – SSO (OAuth Client) <= 6.26.3 - Authentication Bypass
Summary
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.
Severity ?
8.1 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | OAuth Single Sign On – SSO (OAuth Client) |
Affected:
* , ≤ 6.26.3
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T15:54:57.346189Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T15:55:19.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OAuth Single Sign On \u2013 SSO (OAuth Client)",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "6.26.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OAuth Single Sign On \u2013 SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T03:23:10.001Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddd83877-739f-4c21-8179-20de8bbc4936?source=cve"
},
{
"url": "https://wordpress.org/plugins/miniorange-login-with-eve-online-google-facebook/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-11T15:14:20.000+00:00",
"value": "Disclosed"
}
],
"title": "OAuth Single Sign On \u2013 SSO (OAuth Client) \u003c= 6.26.3 - Authentication Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10111",
"datePublished": "2024-12-12T03:23:10.001Z",
"dateReserved": "2024-10-17T22:56:59.678Z",
"dateUpdated": "2024-12-12T15:55:19.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-11901 (GCVE-0-2024-11901)
Vulnerability from cvelistv5 – Published: 2024-12-12 03:23 – Updated: 2024-12-12 15:52
VLAI?
Title
PowerBI Embed Reports <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The PowerBI Embed Reports plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'MO_API_POWER_BI' shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | PowerBI Embed Reports |
Affected:
* , ≤ 1.1.7
(semver)
|
Credits
Peter Thaleikis
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11901",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T15:51:57.264697Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T15:52:23.379Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerBI Embed Reports",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "1.1.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PowerBI Embed Reports plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027MO_API_POWER_BI\u0027 shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T03:23:09.627Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c62aa119-98bc-485e-92f2-43bf21756ebd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/embed-power-bi-reports/tags/1.1.7/Controller/powerBIConfig.php#L306"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-11T15:09:02.000+00:00",
"value": "Disclosed"
}
],
"title": "PowerBI Embed Reports \u003c= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11901",
"datePublished": "2024-12-12T03:23:09.627Z",
"dateReserved": "2024-11-27T16:46:18.841Z",
"dateUpdated": "2024-12-12T15:52:23.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9887 (GCVE-0-2024-9887)
Vulnerability from cvelistv5 – Published: 2024-11-16 09:36 – Updated: 2024-11-19 15:27
VLAI?
Title
Login using WordPress Users ( WP as SAML IDP ) <= 1.15.6 - Authenticated (Administrator+) SQL Injection
Summary
The Login using WordPress Users ( WP as SAML IDP ) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.15.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
7.2 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Login using WordPress Users ( WP as SAML IDP ) |
Affected:
* , ≤ 1.15.6
(semver)
|
Credits
Lesor101
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cyberlord92:login_using_wordpress_users:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "login_using_wordpress_users",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "1.15.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9887",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-19T15:26:03.537636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T15:27:53.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Login using WordPress Users ( WP as SAML IDP )",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "1.15.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lesor101"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Login using WordPress Users ( WP as SAML IDP ) plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018id\u2019 parameter in all versions up to, and including, 1.15.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-16T09:36:34.031Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/220b0e71-8e80-4a29-982e-259a475835fe?source=cve"
},
{
"url": "https://github.com/GumGumZz/wordpress/blob/main/miniorange-wp-as-saml-idp.md"
},
{
"url": "https://plugins.trac.wordpress.org/browser/miniorange-wp-as-saml-idp/trunk/controllers/sso-idp-settings.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3184249%40miniorange-wp-as-saml-idp%2Ftrunk\u0026old=3158222%40miniorange-wp-as-saml-idp%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-15T20:41:13.000+00:00",
"value": "Disclosed"
}
],
"title": "Login using WordPress Users ( WP as SAML IDP ) \u003c= 1.15.6 - Authenticated (Administrator+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9887",
"datePublished": "2024-11-16T09:36:34.031Z",
"dateReserved": "2024-10-11T19:07:22.126Z",
"dateUpdated": "2024-11-19T15:27:53.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9863 (GCVE-0-2024-9863)
Vulnerability from cvelistv5 – Published: 2024-10-17 02:06 – Updated: 2024-10-17 15:48
VLAI?
Title
Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege Escalation via Registration due to Administrator Default User Role Value
Summary
The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled.
Severity ?
9.8 (Critical)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Miniorange OTP Verification with Firebase |
Affected:
* , ≤ 3.6.0
(semver)
|
Credits
István Márton
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:miniorange:otp_verification:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "otp_verification",
"vendor": "miniorange",
"versions": [
{
"lessThanOrEqual": "3.6.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9863",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T15:23:48.056528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T15:48:42.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Miniorange OTP Verification with Firebase",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "3.6.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure \u0027administrator\u0027 default value for the \u0027default_user_role\u0027 option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T02:06:05.842Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f04eab14-dd86-4145-b5eb-20d064bc8417?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-registrationform.php#L194"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verification#file4"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-11T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-10-11T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-10-16T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Miniorange OTP Verification with Firebase \u003c= 3.6.0 - Privilege Escalation via Registration due to Administrator Default User Role Value"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9863",
"datePublished": "2024-10-17T02:06:05.842Z",
"dateReserved": "2024-10-11T12:46:24.289Z",
"dateUpdated": "2024-10-17T15:48:42.152Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9862 (GCVE-0-2024-9862)
Vulnerability from cvelistv5 – Published: 2024-10-17 02:06 – Updated: 2024-10-17 16:16
VLAI?
Title
Miniorange OTP Verification with Firebase <= 3.6.0 - Unauthenticated Arbitrary User Password Change
Summary
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and the user current password check is missing. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
Severity ?
9.8 (Critical)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Miniorange OTP Verification with Firebase |
Affected:
* , ≤ 3.6.0
(semver)
|
Credits
István Márton
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:miniorange:otp_verification:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "otp_verification",
"vendor": "miniorange",
"versions": [
{
"lessThanOrEqual": "3.6.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T16:15:43.649001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T16:16:36.530Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Miniorange OTP Verification with Firebase",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "3.6.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and the user current password check is missing. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T02:06:03.451Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c3df12d-e526-4a23-89d3-bfdcea9f7b2d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-loginform.php#L236"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verification#file3"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-11T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-10-11T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-10-16T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Miniorange OTP Verification with Firebase \u003c= 3.6.0 - Unauthenticated Arbitrary User Password Change"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9862",
"datePublished": "2024-10-17T02:06:03.451Z",
"dateReserved": "2024-10-11T12:45:59.762Z",
"dateUpdated": "2024-10-17T16:16:36.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9861 (GCVE-0-2024-9861)
Vulnerability from cvelistv5 – Published: 2024-10-17 02:05 – Updated: 2024-10-17 19:54
VLAI?
Title
Miniorange OTP Verification with Firebase <= 3.6.0 - Authentication Bypass
Summary
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.6.0. This is due to missing validation on the token being supplied during the otp login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the phone number associated with that user.
Severity ?
8.1 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Miniorange OTP Verification with Firebase |
Affected:
* , ≤ 3.6.0
(semver)
|
Credits
István Márton
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9861",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T19:54:08.043290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T19:54:36.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Miniorange OTP Verification with Firebase",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "3.6.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.6.0. This is due to missing validation on the token being supplied during the otp login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the phone number associated with that user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T02:05:57.541Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/04045ec3-dd8e-4ac5-bd73-eef6205ecc62?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-loginform.php#L144"
},
{
"url": "https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-loginform.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verification#file3"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-11T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-10-11T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-10-16T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Miniorange OTP Verification with Firebase \u003c= 3.6.0 - Authentication Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9861",
"datePublished": "2024-10-17T02:05:57.541Z",
"dateReserved": "2024-10-11T12:45:47.862Z",
"dateUpdated": "2024-10-17T19:54:36.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4539 (GCVE-0-2022-4539)
Vulnerability from cvelistv5 – Published: 2024-08-31 09:35 – Updated: 2024-09-03 14:37
VLAI?
Title
Web Application Firewall <= 2.1.2 - IP Address Spoofing to Protection Mechanism Bypass
Summary
The Web Application Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1.2. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.
Severity ?
5.3 (Medium)
CWE
- CWE-348 - Use of Less Trusted Source
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Web Application Firewall – website security |
Affected:
* , ≤ 2.1.2
(semver)
|
Credits
Mohammadreza Rashidi
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:miniorange:web_application_firewall:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "web_application_firewall",
"vendor": "miniorange",
"versions": [
{
"lessThanOrEqual": "2.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4539",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T14:35:31.628535Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T14:37:17.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Application Firewall \u2013 website security",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "2.1.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mohammadreza Rashidi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Web Application Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1.2. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-348",
"description": "CWE-348 Use of Less Trusted Source",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-31T09:35:55.748Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e99531c-8742-4f91-8525-65bb3cb06644?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3055548/web-application-firewall/trunk/helper/utility.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-30T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Web Application Firewall \u003c= 2.1.2 - IP Address Spoofing to Protection Mechanism Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-4539",
"datePublished": "2024-08-31T09:35:55.748Z",
"dateReserved": "2022-12-16T02:14:06.131Z",
"dateUpdated": "2024-09-03T14:37:17.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-0681 (GCVE-0-2024-0681)
Vulnerability from cvelistv5 – Published: 2024-03-13 15:27 – Updated: 2024-08-08 20:02
VLAI?
Summary
The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.3.4. This is due to the plugin not properly restricting access to pages via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected pages. The vendor has decided that they will not implement REST API protection on posts and pages and the restrictions will only apply to the front-end of the site. The vendors solution was to add notices throughout the dashboard and recommends installing the WordPress REST API Authentication plugin for REST API coverage.
Severity ?
5.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Page Restriction WordPress (WP) – Protect WP Pages/Post |
Affected:
* , ≤ 1.3.4
(semver)
|
Credits
Francesco Carlucci
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:11:35.735Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3e33a5c-df7c-4ef5-a59c-1c31abcda6d1?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3034414%40page-and-post-restriction\u0026new=3034414%40page-and-post-restriction\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:miniorange:page_restriction:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "page_restriction",
"vendor": "miniorange",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T19:58:58.497260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T20:02:18.711Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Page Restriction WordPress (WP) \u2013 Protect WP Pages/Post",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Page Restriction WordPress (WP) \u2013 Protect WP Pages/Post plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.3.4. This is due to the plugin not properly restricting access to pages via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected pages. The vendor has decided that they will not implement REST API protection on posts and pages and the restrictions will only apply to the front-end of the site. The vendors solution was to add notices throughout the dashboard and recommends installing the WordPress REST API Authentication plugin for REST API coverage."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-693 Protection Mechanism Failure",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-13T15:27:08.355Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3e33a5c-df7c-4ef5-a59c-1c31abcda6d1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3034414%40page-and-post-restriction\u0026new=3034414%40page-and-post-restriction\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-27T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0681",
"datePublished": "2024-03-13T15:27:08.355Z",
"dateReserved": "2024-01-18T13:55:00.721Z",
"dateUpdated": "2024-08-08T20:02:18.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2172 (GCVE-0-2024-2172)
Vulnerability from cvelistv5 – Published: 2024-03-13 15:26 – Updated: 2024-08-01 19:03
VLAI?
Summary
The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| cyberlord92 | Web Application Firewall – website security |
Affected:
* , ≤ 2.1.1
(semver)
|
|||||||
|
|||||||||
Credits
Stiofan O'Connor
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:miniorange:malware_scanner:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "malware_scanner",
"vendor": "miniorange",
"versions": [
{
"lessThanOrEqual": "4.7.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:miniorange:web_application_firewall:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "web_application_firewall",
"vendor": "miniorange",
"versions": [
{
"lessThanOrEqual": "2.1.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2172",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T17:31:36.937134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T14:45:20.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:03:39.304Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/miniorange-malware-protection/tags/4.7.2/handler/login.php#L89"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/miniorange-malware-protection/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Application Firewall \u2013 website security",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "2.1.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Malware Scanner",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "4.7.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Stiofan O\u0027Connor"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-304 Missing Critical Step in Authentication",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-13T15:26:53.433Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/miniorange-malware-protection/tags/4.7.2/handler/login.php#L89"
},
{
"url": "https://wordpress.org/plugins/miniorange-malware-protection/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-13T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2172",
"datePublished": "2024-03-13T15:26:53.433Z",
"dateReserved": "2024-03-04T18:27:27.719Z",
"dateUpdated": "2024-08-01T19:03:39.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4943 (GCVE-0-2022-4943)
Vulnerability from cvelistv5 – Published: 2023-10-20 07:29 – Updated: 2024-09-16 18:14
VLAI?
Summary
The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings.
Severity ?
7.5 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login |
Affected:
* , ≤ 5.6.5
(semver)
|
Credits
Ramuel Gall
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:55:46.044Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2842228%40miniorange-2-factor-authentication%2Ftrunk\u0026old=2815645%40miniorange-2-factor-authentication%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-4943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T18:14:40.722825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T18:14:57.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "miniOrange\u0026#039;s Google Authenticator \u2013 WordPress Two Factor Authentication \u2013 2FA , Two Factor, OTP SMS and Email | Passwordless login",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "5.6.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ramuel Gall"
}
],
"descriptions": [
{
"lang": "en",
"value": "The miniOrange\u0027s Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin\u0027s settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-20T07:29:21.001Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7267ede1-7745-47cc-ac0d-4362140b4c23?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2842228%40miniorange-2-factor-authentication%2Ftrunk\u0026old=2815645%40miniorange-2-factor-authentication%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2023-04-19T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-4943",
"datePublished": "2023-10-20T07:29:21.001Z",
"dateReserved": "2023-04-19T14:13:49.149Z",
"dateUpdated": "2024-09-16T18:14:57.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4506 (GCVE-0-2023-4506)
Vulnerability from cvelistv5 – Published: 2023-09-26 01:51 – Updated: 2025-02-05 19:19
VLAI?
Summary
The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server.
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Active Directory Integration / LDAP Integration |
Affected:
* , ≤ 4.1.10
(semver)
|
Credits
Pedro José Navas Pérez
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:05.501Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0585969d-dd08-4058-9d72-138a55a2cdf1?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/ldap-login-for-intranet-sites/"
},
{
"tags": [
"x_transferred"
],
"url": "https://medium.com/%40cybertrinchera/cve-2023-4506-cve-2023-4505-ldap-passback-on-miniorange-plugins-ca7328c84313"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4506",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:25:38.149079Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:19:10.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Active Directory Integration / LDAP Integration",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "4.1.10",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pedro Jos\u00e9 Navas P\u00e9rez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-26T01:51:13.277Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0585969d-dd08-4058-9d72-138a55a2cdf1?source=cve"
},
{
"url": "https://wordpress.org/plugins/ldap-login-for-intranet-sites/"
},
{
"url": "https://medium.com/%40cybertrinchera/cve-2023-4506-cve-2023-4505-ldap-passback-on-miniorange-plugins-ca7328c84313"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-25T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4506",
"datePublished": "2023-09-26T01:51:13.277Z",
"dateReserved": "2023-08-23T21:46:35.528Z",
"dateUpdated": "2025-02-05T19:19:10.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4505 (GCVE-0-2023-4505)
Vulnerability from cvelistv5 – Published: 2023-09-26 01:51 – Updated: 2025-02-05 19:19
VLAI?
Summary
The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server.
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Staff / Employee Business Directory for Active Directory |
Affected:
* , ≤ 1.2.3
(semver)
|
Credits
Pedro José Navas Pérez
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:05.497Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ea40b96-4693-4f98-8e6e-2ed8186cedd8?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/ldap-ad-staff-employee-directory-search/"
},
{
"tags": [
"x_transferred"
],
"url": "https://medium.com/%40cybertrinchera/cve-2023-4506-cve-2023-4505-ldap-passback-on-miniorange-plugins-ca7328c84313"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4505",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:25:35.113466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:19:01.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Staff / Employee Business Directory for Active Directory",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "1.2.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pedro Jos\u00e9 Navas P\u00e9rez"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.2,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-26T01:51:13.836Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ea40b96-4693-4f98-8e6e-2ed8186cedd8?source=cve"
},
{
"url": "https://wordpress.org/plugins/ldap-ad-staff-employee-directory-search/"
},
{
"url": "https://medium.com/%40cybertrinchera/cve-2023-4506-cve-2023-4505-ldap-passback-on-miniorange-plugins-ca7328c84313"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-25T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4505",
"datePublished": "2023-09-26T01:51:13.836Z",
"dateReserved": "2023-08-23T21:43:23.252Z",
"dateUpdated": "2025-02-05T19:19:01.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3249 (GCVE-0-2023-3249)
Vulnerability from cvelistv5 – Published: 2023-06-30 01:56 – Updated: 2024-12-03 16:21
VLAI?
Summary
The Web3 – Crypto wallet Login & NFT token gating plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.6.0. This is due to incorrect authentication checking in the 'hidden_form_data' function. This makes it possible for authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Web3 – Crypto wallet Login & NFT token gating |
Affected:
* , ≤ 2.6.0
(semver)
|
Credits
Lana Codes
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:48:08.498Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e30b62de-7280-4c29-b882-dfa83e65966b?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/web3-authentication/tags/2.6.0/classes/common/Web3/controller/class-moweb3flowhandler.php#L198"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T16:19:51.029337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T16:21:55.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web3 \u2013 Crypto wallet Login \u0026 NFT token gating",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "2.6.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lana Codes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Web3 \u2013 Crypto wallet Login \u0026 NFT token gating plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.6.0. This is due to incorrect authentication checking in the \u0027hidden_form_data\u0027 function. This makes it possible for authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-30T01:56:18.057Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e30b62de-7280-4c29-b882-dfa83e65966b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/web3-authentication/tags/2.6.0/classes/common/Web3/controller/class-moweb3flowhandler.php#L198"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-06-14T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-06-29T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-3249",
"datePublished": "2023-06-30T01:56:18.057Z",
"dateReserved": "2023-06-14T19:17:34.491Z",
"dateUpdated": "2024-12-03T16:21:55.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3447 (GCVE-0-2023-3447)
Vulnerability from cvelistv5 – Published: 2023-06-29 04:28 – Updated: 2024-11-26 19:32
VLAI?
Summary
The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Injection in versions up to, and including, 4.1.5. This is due to insufficient escaping on the supplied username value. This makes it possible for unauthenticated attackers to extract potentially sensitive information from the LDAP directory.
Severity ?
8.6 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Active Directory Integration / LDAP Integration |
Affected:
* , ≤ 4.1.5
(semver)
|
Credits
Luca Greeb
Andreas Krüger
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:55:03.573Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd7553e8-e43d-4740-b2ee-e3d8dc351e53?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2928150%40ldap-login-for-intranet-sites\u0026new=2928150%40ldap-login-for-intranet-sites\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3447",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T19:32:28.803184Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T19:32:37.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Active Directory Integration / LDAP Integration",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "4.1.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luca Greeb"
},
{
"lang": "en",
"type": "finder",
"value": "Andreas Kr\u00fcger"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Injection in versions up to, and including, 4.1.5. This is due to insufficient escaping on the supplied username value. This makes it possible for unauthenticated attackers to extract potentially sensitive information from the LDAP directory."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-29T04:28:35.916Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd7553e8-e43d-4740-b2ee-e3d8dc351e53?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2928150%40ldap-login-for-intranet-sites\u0026new=2928150%40ldap-login-for-intranet-sites\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2023-06-28T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-3447",
"datePublished": "2023-06-29T04:28:35.916Z",
"dateReserved": "2023-06-28T16:19:19.045Z",
"dateUpdated": "2024-11-26T19:32:37.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2982 (GCVE-0-2023-2982)
Vulnerability from cvelistv5 – Published: 2023-06-29 01:56 – Updated: 2024-11-27 16:18
VLAI?
Summary
The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) |
Affected:
* , ≤ 7.6.4
(semver)
|
Credits
Lana Codes
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:03.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08ca186a-2486-4a58-9c53-03e9eba13e66?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/miniorange-login-openid/trunk/mo-openid-social-login-functions.php#L107"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2925914/miniorange-login-openid"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2924863/miniorange-login-openid"
},
{
"tags": [
"x_transferred"
],
"url": "https://lana.codes/lanavdb/2326f41f-a39f-4fde-8627-9d29fff91443/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2982",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T16:18:20.310071Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T16:18:29.073Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "7.6.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lana Codes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-29T01:56:56.207Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/08ca186a-2486-4a58-9c53-03e9eba13e66?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/miniorange-login-openid/trunk/mo-openid-social-login-functions.php#L107"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2925914/miniorange-login-openid"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2924863/miniorange-login-openid"
},
{
"url": "https://lana.codes/lanavdb/2326f41f-a39f-4fde-8627-9d29fff91443/"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-28T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-30T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-06-28T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2982",
"datePublished": "2023-06-29T01:56:56.207Z",
"dateReserved": "2023-05-30T13:38:43.774Z",
"dateUpdated": "2024-11-27T16:18:29.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2599 (GCVE-0-2023-2599)
Vulnerability from cvelistv5 – Published: 2023-06-09 05:33 – Updated: 2024-12-20 23:41
VLAI?
Summary
The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the get_users function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to cause resource exhaustion via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Active Directory Integration / LDAP Integration |
Affected:
* , ≤ 4.1.4
(semver)
|
Credits
Marco Wotschka
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.903Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74089b16-76fa-4654-9007-3f0c2e894894?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/ldap-login-for-intranet-sites/trunk/class-mo-ldap-user-auth-reports.php?rev=2859403#L64"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2910898%40ldap-login-for-intranet-sites%2Ftrunk\u0026old=2903294%40ldap-login-for-intranet-sites%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:25:24.870203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:41:02.995Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Active Directory Integration / LDAP Integration",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "4.1.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Marco Wotschka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the get_users function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to cause resource exhaustion via a forged request granted they can trick an administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T05:33:21.361Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74089b16-76fa-4654-9007-3f0c2e894894?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ldap-login-for-intranet-sites/trunk/class-mo-ldap-user-auth-reports.php?rev=2859403#L64"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2910898%40ldap-login-for-intranet-sites%2Ftrunk\u0026old=2903294%40ldap-login-for-intranet-sites%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file5"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-02T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-12T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2599",
"datePublished": "2023-06-09T05:33:21.361Z",
"dateReserved": "2023-05-09T14:46:45.280Z",
"dateUpdated": "2024-12-20T23:41:02.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}