Lucene search
K

152 matches found

WPVulnDB
WPVulnDB
added 2022/06/27 12:0 a.m.19 views

miniOrange's Google Authenticator < 5.5.75 - Reflected Cross-Site Scripting

The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=mo2fatwofa"...

0.3AI score
Exploits0Affected Software1
wpexploit
wpexploit
added 2022/06/27 12:0 a.m.122 views

miniOrange's Google Authenticator < 5.5.75 - Reflected Cross-Site Scripting

The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting https://example.com/wp-admin/admin.php?page=mo2fatwofa&a"alert/XSS/...

0.4AI score
Exploits0
CNNVD
CNNVD
added 2022/06/27 12:0 a.m.2 views

WordPress plugin Google Authenticator 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. versions of the WordPress Google Authenticator plugin prior to 1.0.5 are vulnerable to cross-site...

4.3CVSS5.2AI score0.00412EPSS
Exploits2References2
CNNVD
CNNVD
added 2022/06/27 12:0 a.m.4 views

WordPress plugin Google Authenticator 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plug-in. A cross-site scripting vulnerability exists in versions of WordPress prior to Google Authenticator...

4.8CVSS5.6AI score0.00548EPSS
Exploits2References2
WPVulnDB
WPVulnDB
added 2022/06/06 12:0 a.m.17 views

Google Authenticator < 1.0.8 - Admin+ Stored Cross-Site Scripting

The plugin does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed PoC Put the following payload in the Account Name settings and click on the 'Change App name' button: " autofocus...

4.8CVSS2.4AI score0.00552EPSS
Exploits2Affected Software1
wpexploit
wpexploit
added 2022/06/06 12:0 a.m.146 views

miniOrange Google Authenticator < 1.0.5 - CSRF to Stored Cross-Site Scripting

The plugin does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks v ' / v...

4.3CVSS0.5AI score0.00412EPSS
Exploits2
wpexploit
wpexploit
added 2022/06/06 12:0 a.m.139 views

Google Authenticator < 1.0.8 - Admin+ Stored Cross-Site Scripting

The plugin does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Put the following payload in the Account Name settings and click on the 'Change App name' button: " autofocus onfocus=alert/XSS//...

4.8CVSS1.6AI score0.00552EPSS
Exploits2
WPVulnDB
WPVulnDB
added 2022/06/06 12:0 a.m.20 views

miniOrange's Google Authenticator < 5.5.6 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example in multisite setup PoC Enable 2FA + Website Security and...

4.8CVSS4.9AI score0.00548EPSS
Exploits2Affected Software1
wpexploit
wpexploit
added 2022/06/06 12:0 a.m.150 views

miniOrange's Google Authenticator < 5.5.6 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example in multisite setup Enable 2FA + Website Security and put...

4.8CVSS0.4AI score0.00548EPSS
Exploits2
Patchstack
Patchstack
added 2022/06/06 12:0 a.m.18 views

WordPress miniOrange's Google Authenticator plugin <= 5.5.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Niraj Mahajan in WordPress miniOrange's Google Authenticator plugin versions = 5.5.5. Solution Update the WordPress miniOrange's Google Authenticator plugin to the latest available version at least 5.5.6...

4.8CVSS2.4AI score0.00548EPSS
Exploits2References1Affected Software1
CNVD
CNVD
added 2022/03/23 12:0 a.m.26 views

WordPress miniOrange's Google Authenticator plugin cross-site request forgery vulnerability

WordPress is a blogging platform developed by the Wordpress Foundation using the PHP language. WordPress plugin is a WordPress application plugin. WordPress miniOrange's Google Authenticator plugin version 5.5 or earlier is vulnerable to a cross-site request forgery vulnerability that stems from...

5.8CVSS8.1AI score0.00538EPSS
Exploits2Affected Software1
ATTACKERKB
ATTACKERKB
added 2022/03/21 7:15 p.m.5 views

CVE-2022-0229

The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog,...

8.1CVSS7.6AI score0.00538EPSS
Exploits2References2
NVD
NVD
added 2022/03/21 7:15 p.m.28 views

CVE-2022-0229

The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog,...

8.1CVSS0.00538EPSS
Exploits2References1
Prion
Prion
added 2022/03/21 7:15 p.m.26 views

Cross site request forgery (csrf)

The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog,...

5.8CVSS8.1AI score0.00538EPSS
Exploits2References1Affected Software1
Cvelist
Cvelist
added 2022/03/21 6:55 p.m.30 views

CVE-2022-0229 miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion

The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog,...

8.3AI score0.00538EPSS
Exploits2References1
CNNVD
CNNVD
added 2022/03/21 12:0 a.m.4 views

WordPress plugin miniOrange 安全漏洞

WordPress is a blogging platform developed by the Wordpress Foundation using the PHP language. WordPress plugin is a WordPress application plugin. WordPress miniOrange's Google Authenticator plugin version 5.5 or earlier is vulnerable to a cross-site request forgery vulnerability that stems from...

8.1CVSS5.6AI score0.00538EPSS
Exploits2References2
Positive Technologies
Positive Technologies
added 2022/03/21 12:0 a.m.5 views

PT-2022-13048 · Miniorange · Google Authenticator Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: miniOrange's Google Authenticator WordPress plugin versions prior to 5.5 Description: The issue arises from the lack of proper authorization and CSRF checks when handling the reconfigureMethod, and improper validation of parameters passed to...

8.1CVSS8.1AI score0.00538EPSS
Exploits2References5
Malwarebytes
Malwarebytes
added 2022/03/15 9:54 p.m.52 views

Escobar is the new Android banking Trojan we’ve met before

Aberebot, a known Android banking Trojan, has changed its name and returned loaded with new features. First spotted by @MalwareHunterTeam in early March, this mobile variant was renamed "Escobar"—a homage to the Colombian drug baron—and disguised itself as a McAfee app. It went by the package nam...

0.6AI score
Exploits0
wpexploit
wpexploit
added 2022/02/28 12:0 a.m.233 views

miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion

The plugin does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable. Note: The initial issue was fixed in...

8.1CVSS3.2AI score0.00538EPSS
Exploits2
Patchstack
Patchstack
added 2022/02/28 12:0 a.m.27 views

WordPress miniOrange's Google Authenticator plugin <= 5.4.52 - Unauthenticated Arbitrary Options Deletion vulnerability

Unauthenticated Arbitrary Options Deletion vulnerability discovered by Krzysztof Zając in WordPress miniOrange's Google Authenticator plugin versions = 5.4.52. Solution Update the WordPress miniOrange's Google Authenticator plugin to the latest available version at least 5.5...

8.1CVSS3.7AI score0.00538EPSS
Exploits2References3Affected Software1
Rows per page
Query Builder