Login Security Vulnerabilities
The User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.8 did not sanitise or escape some of its settings before saving them and outputting them back in the page, allowing high privilege users such as admin to set JavaScript...
4.8CVSS
4.7AI Score
0.001EPSS
The WP Login Security and History WordPress plugin through 1.0 did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin's settings to arbitrary values, and set XSS payloads on them as....
6.2CVSS
6.1AI Score
0.002EPSS
The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue....
5.4CVSS
5.1AI Score
0.001EPSS
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login Protection - Limit Failed Login Attempts WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from...
8.8CVSS
8.6AI Score
0.001EPSS
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login as User or Customer (User Switching) WordPress plugin before 1.8, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then...
8.8CVSS
8.6AI Score
0.001EPSS
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Captchinoo, Google recaptcha for admin login page WordPress plugin before 2.4, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from....
8.8CVSS
8.6AI Score
0.001EPSS
The Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments WordPress plugin before 3.7.0.1 does not sanitise the invitaion_code GET parameter when outputting it in the Activation Code page, leading to a reflected Cross-Site Scripting...
6.1CVSS
6.1AI Score
0.001EPSS
WPS Hide Login 1.6.1 allows remote attackers to bypass a protection mechanism via...
5.3CVSS
5.3AI Score
0.002EPSS
EgavilanMedia User Registration & Login System 1.0 is affected by SQL injection to the admin panel, which may allow arbitrary code...
9.8CVSS
9.8AI Score
0.003EPSS
In crypt.c of remote-login-service, the cryptographic algorithm used to cache usernames and passwords is insecure. An attacker could use this vulnerability to recover usernames and passwords from the file. This issue affects version 1.0.0-0ubuntu3 and prior...
5.5CVSS
5.4AI Score
0.0004EPSS
The Limit Login Attempts plugin before 1.7.1 for WordPress does not clear auth cookies upon a lockout, which might make it easier for remote attackers to conduct brute-force authentication...
9.8CVSS
9.5AI Score
0.007EPSS
EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Panel - Manage User tab using the Full Name of the user. This vulnerability can result in the attacker injecting the XSS payload in the User Registration section and each...
6.1CVSS
5.8AI Score
0.001EPSS
EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by cross-site scripting (XSS) in the Admin Profile Page. This vulnerability can result in the attacker injecting the XSS payload in Admin Full Name and each time admin visits the Profile page from the admin panel,...
5.4CVSS
5.1AI Score
0.001EPSS
EGavilanMedia User Registration and Login System With Admin Panel 1.0 is affected by SQL injection in the User Login...
7.5CVSS
7.9AI Score
0.001EPSS
A Cross Site Request Forgery (CSRF) vulnerability exists in the loginsystem page in PHPGurukul User Registration & Login and User Management System With Admin Panel...
8.8CVSS
8.7AI Score
0.001EPSS
Cross Site Scripting (XSS) vulnerability via the 'Full Name' parameter in the User Registration section of User Registration & Login System with Admin Panel...
6.1CVSS
6AI Score
0.001EPSS
EgavilanMedia User Registration & Login System with Admin Panel 1.0 is affected by Cross Site Request Forgery (CSRF) to remotely gain privileges in the User Profile panel. An attacker can update any user's...
8CVSS
8AI Score
0.001EPSS
LimitLoginAttempts.php in the limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows a bypass of (per IP address) rate limits because the X-Forwarded-For header can be forged. When the plugin is configured to accept an arbitrary header for the client source IP address, a malicious....
9.8CVSS
9.4AI Score
0.002EPSS
The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by....
5.4CVSS
6.3AI Score
0.001EPSS
Cross Site Scripting (XSS) vulnerability in the Registration page of the admin panel in PHPGurukul User Registration & Login and User Management System With admin panel...
4.8CVSS
4.9AI Score
0.001EPSS
SQL injection vulnerability in PHPGurukul User Registration & Login and User Management System With admin panel 2.1 allows remote attackers to execute arbitrary SQL commands and bypass...
9.8CVSS
10AI Score
0.095EPSS
PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying...
7.8CVSS
7.6AI Score
0.0004EPSS
in Scratch Login (MediaWiki extension) before version 1.1, any account can be logged into by using the same username with leading, trailing, or repeated underscore(s), since those are treated as whitespace and trimmed by MediaWiki. This affects all users on any wiki using this extension. Since...
10CVSS
9.4AI Score
0.001EPSS
The Login by Auth0 plugin before 4.0.0 for WordPress allows stored XSS on multiple pages, a different issue than...
6.1CVSS
7.3AI Score
0.001EPSS
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data....
9.8CVSS
9.3AI Score
0.005EPSS
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. A user can perform an insecure direct object...
8.8CVSS
9.1AI Score
0.003EPSS
The Auth0 wp-auth0 plugin 3.11.x before 3.11.3 for WordPress allows XSS via a wle parameter associated with...
6.1CVSS
5.9AI Score
0.001EPSS
The Login Security module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal allows attackers to bypass intended restrictions via a crafted...
9.8CVSS
9.1AI Score
0.004EPSS
plugin-fw/lib/yit-plugin-panel-wc.php in the YIT Plugin Framework through 3.3.8 for WordPress allows authenticated options...
4.3CVSS
4.4AI Score
0.001EPSS
The wps-hide-login plugin before 1.1 for WordPress has CSRF that affects saving an option...
8.8CVSS
8.7AI Score
0.001EPSS
The wps-hide-login plugin before 1.5.3 for WordPress has a protection bypass via wp-login.php in the Referer...
9.8CVSS
9.4AI Score
0.007EPSS
The login-or-logout-menu-item plugin before 1.2.0 for WordPress has no requirement for lolmi_save_settings...
6.1CVSS
6.3AI Score
0.001EPSS
The wps-hide-login plugin before 1.5.3 for WordPress has an adminhash protection...
9.8CVSS
9.5AI Score
0.007EPSS
The wps-hide-login plugin before 1.5.3 for WordPress has an action=confirmaction protection...
9.8CVSS
9.5AI Score
0.007EPSS
The wps-hide-login plugin before 1.5.3 for WordPress has an action=rp&key&login protection...
9.8CVSS
9.5AI Score
0.007EPSS
9.8CVSS
9.9AI Score
0.001EPSS
6.1CVSS
6.4AI Score
0.001EPSS
8.8CVSS
8.7AI Score
0.001EPSS
9.8CVSS
9.9AI Score
0.001EPSS
6.1CVSS
6AI Score
0.002EPSS
An arbitrary file upload vulnerability in /classes/profile.class.php in Jigowatt "PHP Login & User Management" before 4.1.1, as distributed in the Envato Market, allows any remote authenticated user to upload .php files to the web server via a profile avatar field. This results in arbitrary code...
8.8CVSS
8.5AI Score
0.007EPSS
An open redirect vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows attackers to redirect users to an arbitrary URL after successful...
6.1CVSS
6.1AI Score
0.001EPSS
A session fixaction vulnerability exists in Jenkins Google Login Plugin 1.3 and older in GoogleOAuth2SecurityRealm.java that allows unauthorized attackers to impersonate another user if they can control the pre-authentication...
5.9CVSS
5.5AI Score
0.001EPSS
Cross-site request forgery (CSRF) vulnerability in the Brute Force Login Protection module 1.3 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that have unknown impact via a crafted request to the brute-force-login-protection page to...
8.8CVSS
8.9AI Score
0.008EPSS
The login function in lib/lawn.rb in the lawn-login gem 0.0.7 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the...
7.8CVSS
7.3AI Score
0.0004EPSS
A buffer overflow vulnerability in login function in QNAP QTS version 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 (Beta 2) build 20171116 and earlier could allow remote attackers to execute arbitrary code on NAS...
9.8CVSS
9.9AI Score
0.031EPSS
A buffer overflow vulnerability in login function in QNAP QTS version 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 (Beta 2) build 20171116 and earlier could allow remote attackers to execute arbitrary code on NAS...
9.8CVSS
9.9AI Score
0.031EPSS
Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, (3) user_id, (4) username, (5) country_name, (6) browser, (7) operating_system, or (8).....
6.1CVSS
6.1AI Score
0.001EPSS
The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 to v2.7.4.1, UAA v3.0.0 to v3.2.0, UAA-Release v2 to v7 and Pivotal Elastic Runtime 1.6.x versions prior to 1.6.20 are vulnerable to an XSS attack by specifying malicious java script content in...
6.1CVSS
5.9AI Score
0.001EPSS
The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal Elastic Runtime versions prior to 1.7.2 is vulnerable to a brute force attack due to multiple...
8.1CVSS
8AI Score
0.002EPSS