RSS   Vulnerabilities for 'Mycred'   RSS

2022-04-25
 
CVE-2022-0287

CWE-200
 

 
The myCred WordPress plugin before 2.4.3.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog

 
 
CVE-2022-0363

CWE-862
 

 
The myCred WordPress plugin before 2.4.4 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating arbitrary posts.

 
2022-01-24
 
CVE-2021-25015

CWE-79
 

 
The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue

 
2021-11-29
 
CVE-2017-20008

CWE-79
 

 
The myCred WordPress plugin before 1.7.8 does not sanitise and escape the user parameter before outputting it back in the Points Log admin dashboard, leading to a Reflected Cross-Site Scripting

 
 
CVE-2021-24755

CWE-89
 

 
The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user

 


Copyright 2024, cxsecurity.com

 

Back to Top