Common Vulnerabilities

In the Lana Codes Common Vulnerability Database (LANACOMMONVDB), we collect the vulnerabilities we discover in other systems and provide standard descriptions.

CVE ID:

CVE-2022-3024

WordPress Plugin

simple-bitcoin-faucets <= 1.7.0

Vulnerability Type:

Cross-Site Request Forgery (CSRF),
Cross-Site Scripting (XSS),
Missing Authorization

Date:

2022-08-27

The plugin does not have any authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting (XSS) issues.

CVE ID:

CVE-2022-3025

WordPress Plugin

bitcoin-faucet <= 1.6.0

Vulnerability Type:

Cross-Site Request Forgery (CSRF),
Cross-Site Scripting (XSS)

Date:

2022-08-27

The plugin does not have any Cross-Site Request Forgery (CSRF) check when saving its settings, allowing attacker to make a logged in admin change them via a Cross-Site Request Forgery (CSRF) attack. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting (XSS) issues.

CVE ID:

CVE-2022-3082

WordPress Plugin

miniorange-discord-integration <= 2.1.5

Vulnerability Type:

Cross-Site Request Forgery (CSRF),
Missing Authorization

Date:

2022-08-26

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example.

CVE ID:

CVE-2022-37412

WordPress Plugin

better-delete-revision <= 1.6.1

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2022-08-26

The plugin was affected by a Cross-Site Scripting (XSS) vulnerability.

CVE ID:

CVE-2023-23896

WordPress Plugin

mts-url-shortener <= 1.0.17

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-08-26

The plugin does not have proper Cross-Site Request Forgery (CSRF) check in some places, which could allow attackers to make logged in admins perform unwanted actions via Cross-Site Request Forgery (CSRF) attacks.

CVE ID:

CVE-2022-42461

WordPress Plugin

miniorange-2-factor-authentication <= 5.5.82

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-08-26

The plugin does not have proper Cross-Site Request Forgery (CSRF) check in some places, which could allow attackers to make logged in admins perform unwanted actions via Cross-Site Request Forgery (CSRF) attacks.

CVE ID:

CVE-2022-2987

WordPress Plugin

ldap-wp-login-integration-with-active-directory <= 3.0.1

Vulnerability Type:

Authentication Bypass,
Cross-Site Request Forgery (CSRF),
Missing Authorization

Date:

2022-08-24

The plugin does not have any authorisation and Cross-Site Request Forgery (CSRF) check when updating it’s settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication.

CVE ID:

CVE-2022-3119

WordPress Plugin

oauth-client-for-user-authentication <= 3.0.3

Vulnerability Type:

Authentication Bypass,
Cross-Site Request Forgery (CSRF),
Missing Authorization

Date:

2022-08-12

The plugin is affected by a Broken Access Control, Cross-Site Request Forgery (CSRF) vulnerability that can be used to modify the OAuth server endpoints, which leads to an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrative role on the client’s website.

CVE ID:

CVE-2022-36345

WordPress Plugin

download-plugin <= 2.0.4

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-08-12

The plugin does not have proper Cross-Site Request Forgery (CSRF) check in some places, which could allow attackers to make logged in admins perform unwanted actions via Cross-Site Request Forgery (CSRF) attacks.

CVE ID:

CVE-2022-38062

WordPress Plugin

download-theme <= 1.0.9

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-08-12

The plugin does not have proper Cross-Site Request Forgery (CSRF) check in some places, which could allow attackers to make logged in admins perform unwanted actions via Cross-Site Request Forgery (CSRF) attacks.

CVE ID:

CVE-2022-36352

WordPress Plugin

profilegrid-user-profiles-groups-and-communities <= 5.0.2

Vulnerability Type:

Cross-Site Request Forgery (CSRF),
Missing Authorization

Date:

2022-08-01

The plugin was affected by Missing Authorization and Cross-Site Request Forgery (CSRF) vulnerabilities. The plugin creates a frontend user profile, groups, communities and messenger. However, the messenger is vulnerable because there is no user authentication, so the vulnerability allows us to list and modify other users’ messages.

CVE ID:

CVE-2022-34839

WordPress Plugin

oauth2-server <= 1.0.1

Vulnerability Type:

Authentication Bypass

Date:

2022-06-23

The plugin was affected by an Auth Bypass vulnerability.

CVE ID:

CVE-2022-34858

WordPress Plugin

oauth-client <= 1.11.3

Vulnerability Type:

Authentication Bypass

Date:

2022-06-13

The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the client’s website.

CVE ID:

CVE-2022-2133

WordPress Plugin

miniorange-login-with-eve-online-google-facebook <= 6.22.5

Vulnerability Type:

Authentication Bypass

Date:

2022-06-12

The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the client’s website.

CVE ID:

CVE-2022-34149

WordPress Plugin

miniorange-oauth-20-server <= 3.0.4

Vulnerability Type:

Authentication Bypass

Date:

2022-06-12

The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrator role on the client’s website.

CVE ID:

CVE-2022-2083

WordPress Plugin

single-sign-on-client <= 4.1.0

Vulnerability Type:

Authentication Bypass

Date:

2022-06-01

The plugin was affected by an Auth Bypass vulnerability. The plugin leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site. Depending on the settings of the OAuth server, we may even be given an administrator role on the client’s website.