Vulnerabilities > Miniorange > Medium

DATE CVE VULNERABILITY TITLE RISK
2024-08-31 CVE-2022-4539 Insufficient Verification of Data Authenticity vulnerability in Miniorange web Application Firewall
The Web Application Firewall plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1.2.
network
low complexity
miniorange CWE-345
5.3
2024-01-16 CVE-2023-4757 Cross-site Scripting vulnerability in Miniorange Staff / Employee Business Directory for Active Directory
The Staff / Employee Business Directory for Active Directory WordPress plugin before 1.2.3 does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin.
network
low complexity
miniorange CWE-79
5.4
2023-10-20 CVE-2022-4943 Missing Authorization vulnerability in Miniorange Google Authenticator
The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5.
network
low complexity
miniorange CWE-862
5.3
2023-09-27 CVE-2023-4505 Unspecified vulnerability in Miniorange Staff / Employee Business Directory for Active Directory
The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3.
network
low complexity
miniorange
4.9
2023-09-27 CVE-2023-4506 Unspecified vulnerability in Miniorange Active Directory Integration / Ldap Integration
The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10.
network
low complexity
miniorange
6.5
2023-06-09 CVE-2023-2484 Unspecified vulnerability in Miniorange Active Directory Integration / Ldap Integration
The Active Directory Integration plugin for WordPress is vulnerable to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
network
low complexity
miniorange
4.9
2023-06-09 CVE-2023-2599 Unspecified vulnerability in Miniorange Active Directory Integration / Ldap Integration
The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the get_users function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
network
low complexity
miniorange
6.5
2023-04-25 CVE-2023-23710 Cross-site Scripting vulnerability in Miniorange Wordpress Social Login and Register (Discord, Google, Twitter, Linkedin)
Auth.
network
low complexity
miniorange CWE-79
4.8
2023-03-27 CVE-2023-1092 Unspecified vulnerability in Miniorange Oauth Single Sign on
The OAuth Single Sign On Free WordPress plugin before 6.24.2, OAuth Single Sign On Standard WordPress plugin before 28.4.9, OAuth Single Sign On Premium WordPress plugin before 38.4.9 and OAuth Single Sign On Enterprise WordPress plugin before 48.4.9 do not have CSRF checks when deleting Identity Providers (IdP), which could allow attackers to make logged in admins delete arbitrary IdP via a CSRF attack
network
low complexity
miniorange
6.5
2023-03-27 CVE-2023-1093 Unspecified vulnerability in Miniorange Oauth Single Sign on
The OAuth Single Sign On WordPress plugin before 6.24.2 does not have CSRF checks when discarding Identify providers (IdP), which could allow attackers to make logged in admins delete all IdP via a CSRF attack
network
low complexity
miniorange
6.5