Vulnerabilities > Miniorange > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-31 | CVE-2022-4539 | Insufficient Verification of Data Authenticity vulnerability in Miniorange web Application Firewall The Web Application Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1.2. | 5.3 |
| 2024-01-16 | CVE-2023-4757 | Cross-site Scripting vulnerability in Miniorange Staff / Employee Business Directory for Active Directory The Staff / Employee Business Directory for Active Directory WordPress plugin before 1.2.3 does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin. | 5.4 |
| 2023-10-20 | CVE-2022-4943 | Missing Authorization vulnerability in Miniorange Google Authenticator The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. | 5.3 |
| 2023-09-27 | CVE-2023-4505 | Unspecified vulnerability in Miniorange Staff / Employee Business Directory for Active Directory The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. | 4.9 |
| 2023-09-27 | CVE-2023-4506 | Unspecified vulnerability in Miniorange Active Directory Integration / Ldap Integration The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. | 6.5 |
| 2023-06-09 | CVE-2023-2484 | Unspecified vulnerability in Miniorange Active Directory Integration / Ldap Integration The Active Directory Integration plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 4.9 |
| 2023-06-09 | CVE-2023-2599 | Unspecified vulnerability in Miniorange Active Directory Integration / Ldap Integration The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the get_users function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 6.5 |
| 2023-04-25 | CVE-2023-23710 | Cross-site Scripting vulnerability in Miniorange Wordpress Social Login and Register (Discord, Google, Twitter, Linkedin) Auth. | 4.8 |
| 2023-03-27 | CVE-2023-1092 | Unspecified vulnerability in Miniorange Oauth Single Sign on The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack | 6.5 |
| 2023-03-27 | CVE-2023-1093 | Unspecified vulnerability in Miniorange Oauth Single Sign on The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack | 6.5 |