Common Vulnerabilities

The plugin does not have any Cross-Site Request Forgery (CSRF) check when saving its settings, allowing attacker to make a logged in admin change them via a Cross-Site Request Forgery (CSRF) attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting (XSS) issues.

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example.

The plugin was affected by a Cross-Site Scripting (XSS) vulnerability.

The plugin does not have proper Cross-Site Request Forgery (CSRF) check in some places, which could allow attackers to make logged in admins perform unwanted actions via Cross-Site Request Forgery (CSRF) attacks.

The plugin does not have proper Cross-Site Request Forgery (CSRF) check in some places, which could allow attackers to make logged in admins perform unwanted actions via Cross-Site Request Forgery (CSRF) attacks.

The plugin does not have any authorisation and Cross-Site Request Forgery (CSRF) check when updating it’s settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication.

The plugin is affected by a Broken Access Control, Cross-Site Request Forgery (CSRF) vulnerability that can be used to modify the OAuth server endpoints, which leads to an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrative role on the client’s website.

The plugin does not have proper Cross-Site Request Forgery (CSRF) check in some places, which could allow attackers to make logged in admins perform unwanted actions via Cross-Site Request Forgery (CSRF) attacks.

The plugin does not have proper Cross-Site Request Forgery (CSRF) check in some places, which could allow attackers to make logged in admins perform unwanted actions via Cross-Site Request Forgery (CSRF) attacks.

The plugin was affected by Missing Authorization and Cross-Site Request Forgery (CSRF) vulnerabilities. The plugin creates a frontend user profile, groups, communities and messenger. However, the messenger is vulnerable because there is no user authentication, so the vulnerability allows us to list and modify other users’ messages.

The plugin was affected by an Auth Bypass vulnerability.

The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the client’s website.

The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the client’s website.

The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrator role on the client’s website.

The plugin was affected by an Auth Bypass vulnerability. The plugin leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site. Depending on the settings of the OAuth server, we may even be given an administrator role on the client’s website.