CVE-2023-4374

The WP Remote Users Sync plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'refreshlogsasync' functions in versions up to, and including, 1.2.11. This makes it possible for authenticated attackers with subscriber...

Design/Logic Flaw

The WP Remote Users Sync plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'refreshlogsasync' functions in versions up to, and including, 1.2.11. This makes it possible for authenticated attackers with subscriber...

CVE-2023-4374 WP Remote Users Sync <= 1.2.11 - Missing Authorization to Authenticated (Subscriber+) Log View

The WP Remote Users Sync plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'refreshlogsasync' functions in versions up to, and including, 1.2.11. This makes it possible for authenticated attackers with subscriber...

CVE-2023-4374

CVE-2023-4374 – WP Remote Users Sync (WordPress) vulnerability affecting versions up to 1.2.11 due to a missing capability check in the refresh_logs_async function. This permits authenticated users with subscriber privileges or higher to view logs and potentially add data. Impact is information d...

CVE-2023-3958 WP Remote Users Sync <= 1.2.12 - Authenticated (Subscriber+) Server Side Request Forgery

The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the 'notifypingremote' AJAX function in versions up to, and including, 1.2.12. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locatio...

CVE-2023-3958

CVE-2023-3958 affects the WP Remote Users Sync WordPress plugin. The vulnerability is a Server-Side Request Forgery (SSRF) via the notify_ping_remote AJAX function in versions up to and including 1.2.12. An authenticated attacker with subscriber-level permissions (or higher) can cause the web app...

WordPress WP Remote Users Sync Plugin <= 1.2.12 is vulnerable to Server Side Request Forgery (SSRF)

Software WP Remote Users Sync Type Plugin Vulnerable versions = 1.2.12 Fixed in 1.2.13 OWASP Top 10 A1: Broken Access Control Classification Server Side Request Forgery SSRF CVE CVE-2023-3958 Patch priority High CVSS severity High 8.5 Developer Claim ownership PSID 57ad18456846 Credits Lana Codes...

WordPress Plugin Remote Users Sync 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

WordPress WP Remote Users Sync Plugin <= 1.2.11 is vulnerable to Broken Access Control

Software WP Remote Users Sync Type Plugin Vulnerable versions = 1.2.11 Fixed in 1.2.12 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2023-4374 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 367f50681d32 Credits Lana Codes Required...

WordPress Plugin Remote Users Sync 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A code issue vulnerability exists in...

Ford says it’s safe to drive its cars with a WiFi vulnerability

Ford has released information about a buffer overflow vulnerability in its SYNC 3 infotainment system. Ford learned from a supplier that a security researcher had discovered a vulnerability in the Wi-Fi software driver supplied for use in the SYNC 3 infotainment system available on some Ford and...

PT-2023-28959 · WordPress · Wp Remote Users Sync

Name of the Vulnerable Software and Affected Versions: WP Remote Users Sync plugin for WordPress versions up to, and including, 1.2.11 Description: The issue allows unauthorized access and addition of data due to a missing capability check on the refresh logs async function. This makes it possibl...

SUSE CVE-2023-32559

A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API process.binding can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding'spawnsyn...

MTE As Implemented, Part 1: Implementation Testing

By Mark Brand, Project Zero Background In 2018, in the v8.5a version of the ARM architecture, ARM proposed a hardware implementation of tagged memory, referred to as MTE Memory Tagging Extensions. Through mid-2022 and early 2023, Project Zero had access to pre-production hardware implementing thi...

WordPress Sync eCommerce NEO Plugin <= 1.4 is vulnerable to Cross Site Scripting (XSS)

Software Sync eCommerce NEO Type Plugin Vulnerable versions = 1.4 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 9dbd1f3d1861 Credits Rafie Muhammad Patchstack Require...

WordPress Date Picker by Input WP – Sync bookings with external Calendars (.ics) Plugin <= 2.2 is vulnerable to Cross Site Scripting (XSS)

Software Date Picker by Input WP – Sync bookings with external Calendars .ics Type Plugin Vulnerable versions = 2.2 Fixed in 2.3 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID...

WordPress BotMate - Automate or Sync Your Sites With No Code Plugin <= 1.0.0 is vulnerable to Cross Site Scripting (XSS)

Software BotMate - Automate or Sync Your Sites With No Code Type Plugin Vulnerable versions = 1.0.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 8348fa6fe814 Credits...

Funds added to reserves through sync are accidentally transferred out to users

Lines of code Vulnerability details Impact Wells have the ability to shift funds to other Wells as part of gas-efficient multi-pool swaps. This natspec explanation of this can be find here. The sync function is intended to synchronize the underlying token amounts with the token reserves of the...

The constant product invariant can be broken.

Lines of code Vulnerability details description Let reserves returned by Well.getReserves as x, y and Well.tokenSupply as k. They must maintain the invariant x y EXPPRECISION = k 2. However, the reserves can increase without updating the token supply if a user transfers one token of the well and...

TWAP can be easily manipulated by attacker through the sync() function, causing loss of funds

Lines of code Vulnerability details Description Please refer to the issue titled Implementation of Well shift function allows attackers to completely manipulate the oracles for relevant introduction and context. The safety of the TWAP relies on calling the observation function update with the...