WP Cerber < 8.9.3 - Broken Access Control

WP Cerber 8.9.3 contains a bypass of /wp-json access control caused by improper handling of trailing '?' character, letting unauthorized users access protected REST API endpoints, exploit requires sending a request with a trailing '?'. id: CVE-2021-37598 info: name: WP Cerber 8.9.3 - Broken Acces...

EUVD-2021-24155

Malware in sbrugna...

EUVD-2021-24156

Malware in sbrugna...

CVE-2021-37597

WP Cerber before 8.9.3 allows MFA bypass via wordpressloggedinhash manipulation...

CVE-2022-4417 WP Cerber < 9.3.3 - User Enumeration Bypass via Rest API

The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 9.3.3 does not properly block access to the REST API users endpoint when the blog is in a subdirectory, which could allow attackers to bypass the restriction in place and list users...

CVE-2022-4417 WP Cerber < 9.3.3 - User Enumeration Bypass via Rest API

The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 9.3.3 does not properly block access to the REST API users endpoint when the blog is in a subdirectory, which could allow attackers to bypass the restriction in place and list users...

WP Cerber < 9.3.3 - User Enumeration Bypass via Rest API

The plugin does not properly block access to the REST API users endpoint when the blog is in a subdirectory, which could allow attackers to bypass the restriction in place and list users When the "Block access to users' data via REST API" settings is enabled...

CVE-2021-37597

WP Cerber before 8.9.3 allows MFA bypass via wordpressloggedinhash manipulation...

CVE-2021-37598

WP Cerber before 8.9.3 allows bypass of /wp-json access control via a trailing ? character...

Design/Logic Flaw

WP Cerber before 8.9.3 allows MFA bypass via wordpressloggedinhash manipulation...

CVE-2021-37597

WP Cerber before 8.9.3 allows MFA bypass via wordpressloggedinhash manipulation...

CVE-2021-37597

CVE-2021-37597 affects WordPress WP Cerber plugin versions prior to 8.9.3, where MFA can be bypassed by manipulating the wordpress_logged_in_[hash] value. The issue is described in multiple sources as a 2FA bypass vulnerability with high impact. A fix is available in version 8.9.3 and later; upgr...

CVE-2021-37598

WP Cerber before 8.9.3 allows bypass of /wp-json access control via a trailing ? character...

CVE-2021-37598

WP Cerber before 8.9.3 has a broken access control in the /wp-json endpoint caused by improper handling of a trailing ? character, allowing unauthorized access to protected REST API endpoints. Affected software: WP Cerber versions prior to 8.9.3. The root cause is a bypass of the access control f...

WP Cerber Security < 8.9.3 - Rest-API Protection Bypass

The /wp-json REST API endpoint is by default blocked by WP Cerber from accessing its information. However, by appending a ?, the access control list protections are bypassed and data can then be retrieved from it...