Vulnerabilities > Miniorange > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-08-31 CVE-2022-4539 Insufficient Verification of Data Authenticity vulnerability in Miniorange web Application Firewall
The Web Application Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1.2.
network
low complexity
miniorange CWE-345
5.3
2024-01-16 CVE-2023-4757 Cross-site Scripting vulnerability in Miniorange Staff / Employee Business Directory for Active Directory
The Staff / Employee Business Directory for Active Directory WordPress plugin before 1.2.3 does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin.
network
low complexity
miniorange CWE-79
5.4
2023-10-20 CVE-2022-4943 Missing Authorization vulnerability in Miniorange Google Authenticator
The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5.
network
low complexity
miniorange CWE-862
5.3
2023-09-27 CVE-2023-4505 Unspecified vulnerability in Miniorange Staff / Employee Business Directory for Active Directory
The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3.
network
low complexity
miniorange
4.9
2023-09-27 CVE-2023-4506 Unspecified vulnerability in Miniorange Active Directory Integration / Ldap Integration 3.5.8/3.7.3
The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10.
network
low complexity
miniorange
6.5
2023-06-09 CVE-2023-2484 Unspecified vulnerability in Miniorange Active Directory Integration / Ldap Integration
The Active Directory Integration plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
network
low complexity
miniorange
4.9
2023-06-09 CVE-2023-2599 Unspecified vulnerability in Miniorange Active Directory Integration / Ldap Integration
The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the get_users function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
network
low complexity
miniorange
6.5
2023-03-27 CVE-2023-1092 Unspecified vulnerability in Miniorange Oauth Single Sign on
The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack
network
low complexity
miniorange
6.5
2023-03-27 CVE-2023-1093 Unspecified vulnerability in Miniorange Oauth Single Sign on
The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack
network
low complexity
miniorange
6.5
2023-01-30 CVE-2022-4496 Unspecified vulnerability in Miniorange Saml SP Single Sign on 12.0.0/16.0.0/20.0.0
The SAML SSO Standard WordPress plugin version 16.0.0 before 16.0.8, SAML SSO Premium WordPress plugin version 12.0.0 before 12.1.0 and SAML SSO Premium Multisite WordPress plugin version 20.0.0 before 20.0.7 does not validate that the redirect parameter to its SSO login endpoint points to an internal site URL, making it vulnerable to an Open Redirect issue when the user is already logged in.
network
low complexity
miniorange
6.1