Vulnerabilities > Miniorange
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-18 | CVE-2022-34155 | Improper Authentication vulnerability in Miniorange Oauth Single Sign on Improper Authentication vulnerability in miniOrange OAuth Single Sign On – SSO (OAuth Client) plugin allows Authentication Bypass.This issue affects OAuth Single Sign On – SSO (OAuth Client): from n/a through 6.23.3. | 8.8 |
| 2023-06-30 | CVE-2023-3249 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Miniorange Web3 - Crypto Wallet Login & NFT Token Gating The Web3 – Crypto wallet Login & NFT token gating plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.6.0. | 9.8 |
| 2023-06-29 | CVE-2023-3447 | LDAP Injection vulnerability in Miniorange Active Directory Integration / Ldap Integration The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Injection in versions up to, and including, 4.1.5. | 7.5 |
| 2023-06-29 | CVE-2023-2982 | Authentication Bypass Using an Alternate Path or Channel vulnerability in Miniorange Wordpress Social Login and Register (Discord, Google, Twitter, Linkedin) The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. | 9.8 |
| 2023-06-09 | CVE-2023-2484 | SQL Injection vulnerability in Miniorange Active Directory Integration / Ldap Integration The Active Directory Integration plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 4.9 |
| 2023-06-09 | CVE-2023-2599 | Cross-Site Request Forgery (CSRF) vulnerability in Miniorange Active Directory Integration / Ldap Integration The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the get_users function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 6.5 |
| 2023-05-23 | CVE-2023-23706 | Cross-Site Request Forgery (CSRF) vulnerability in Miniorange Wordpress Social Login and Register (Discord, Google, Twitter, Linkedin) Cross-Site Request Forgery (CSRF) vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin <= 7.5.14 versions. | 8.8 |
| 2023-05-15 | CVE-2023-0812 | Information Exposure vulnerability in Miniorange Active Directory Integration / Ldap Integration The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.1 does not have proper authorization or nonce values for some POST requests, leading to unauthenticated data disclosure. | 7.5 |
| 2023-01-30 | CVE-2022-4496 | Open Redirect vulnerability in Miniorange Saml SP Single Sign on The SAML SSO Standard WordPress plugin version 16.0.0 before 16.0.8, SAML SSO Premium WordPress plugin version 12.0.0 before 12.1.0 and SAML SSO Premium Multisite WordPress plugin version 20.0.0 before 20.0.7 does not validate that the redirect parameter to its SSO login endpoint points to an internal site URL, making it vulnerable to an Open Redirect issue when the user is already logged in. | 6.1 |
| 2023-01-17 | CVE-2023-23749 | Injection vulnerability in Miniorange Ldap Integration With Active Directory and Openldap 5.0.2 The 'LDAP Integration with Active Directory and OpenLDAP - NTLM & Kerberos Login' extension is vulnerable to LDAP Injection since is not properly sanitizing the 'username' POST parameter. | 7.5 |