Vulnerabilities > Miniorange > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-31 | CVE-2022-4539 | Insufficient Verification of Data Authenticity vulnerability in Miniorange web Application Firewall The Web Application Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1.2. | 5.3 |
| 2024-01-16 | CVE-2023-4757 | Cross-site Scripting vulnerability in Miniorange Staff / Employee Business Directory for Active Directory The Staff / Employee Business Directory for Active Directory WordPress plugin before 1.2.3 does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin. | 5.4 |
| 2023-10-20 | CVE-2022-4943 | Missing Authorization vulnerability in Miniorange Google Authenticator The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. | 5.3 |
| 2023-09-27 | CVE-2023-4505 | Unspecified vulnerability in Miniorange Staff / Employee Business Directory for Active Directory The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. | 4.9 |
| 2023-09-27 | CVE-2023-4506 | Unspecified vulnerability in Miniorange Active Directory Integration / Ldap Integration 3.5.8/3.7.3 The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. | 6.5 |
| 2023-06-09 | CVE-2023-2484 | Unspecified vulnerability in Miniorange Active Directory Integration / Ldap Integration The Active Directory Integration plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 4.9 |
| 2023-06-09 | CVE-2023-2599 | Unspecified vulnerability in Miniorange Active Directory Integration / Ldap Integration The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the get_users function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 6.5 |
| 2023-03-27 | CVE-2023-1092 | Unspecified vulnerability in Miniorange Oauth Single Sign on The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack | 6.5 |
| 2023-03-27 | CVE-2023-1093 | Unspecified vulnerability in Miniorange Oauth Single Sign on The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack | 6.5 |
| 2023-01-30 | CVE-2022-4496 | Unspecified vulnerability in Miniorange Saml SP Single Sign on 12.0.0/16.0.0/20.0.0 The SAML SSO Standard WordPress plugin version 16.0.0 before 16.0.8, SAML SSO Premium WordPress plugin version 12.0.0 before 12.1.0 and SAML SSO Premium Multisite WordPress plugin version 20.0.0 before 20.0.7 does not validate that the redirect parameter to its SSO login endpoint points to an internal site URL, making it vulnerable to an Open Redirect issue when the user is already logged in. | 6.1 |