Truoc Phan’s CVE
Timeline:
June 21, 2023
CVE-2023–3353: [WordPress Plugin] Smush — Lazy Load Images, Optimize & Compress Images ≤ 3.13.1 — Cross-Site Request Forgery to Resmush List Deletion
Report Date: June 20, 2023
Collaborators: An Đặng
Vendor: WPMU DEV
Product:
Base Score:
Vector:
Rewarded: NO
References:
June 15, 2023
CVE-2023–3277: [WordPress Plugin] MStore API ≤ 3.9.7 — Unauthorized Account Access and Privilege Escalation
Report Date: June 14, 2023
Vendor: InspireUI
Product:
Base Score:
Vector:
Rewarded: NO
References:
June 12, 2023
CVE-2023–3203: [WordPress Plugin] MStore API ≤ 3.9.6 — Cross-Site Request Forgery to Product Limit Update
Report Date: June 12, 2023
Vendor: InspireUI
Product:
Base Score: 4.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Rewarded: NO
References:
CVE-2023–3202: [WordPress Plugin] MStore API ≤ 3.9.6 — Cross-Site Request Forgery to Firebase Server Key Update
Report Date: June 12, 2023
Vendor: InspireUI (https://inspireui.com/)
Product:
- MStore API (https://wordpress.org/plugins/mstore-api/)
Base Score: 4.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Rewarded: NO
References:
CVE-2023–3201: [WordPress Plugin] MStore API ≤ 3.9.6 — Cross-Site Request Forgery to Order Title Update
Report Date: June 12, 2023
Vendor: InspireUI (https://inspireui.com/)
Product:
- MStore API (https://wordpress.org/plugins/mstore-api/)
Base Score: 4.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Rewarded: NO
References:
CVE-2023–3200: [WordPress Plugin] MStore API ≤ 3.9.6 — Cross-Site Request Forgery to Order Message Update
Report Date: June 12, 2023
Vendor: InspireUI (https://inspireui.com/)
Product:
- MStore API (https://wordpress.org/plugins/mstore-api/)
Base Score: 4.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Rewarded: NO
References:
CVE-2023–3199: [WordPress Plugin] MStore API ≤ 3.9.6 — Cross-Site Request Forgery to Order Title Update
Report Date: June 12, 2023
Vendor: InspireUI (https://inspireui.com/)
Product:
- MStore API (https://wordpress.org/plugins/mstore-api/)
Base Score: 4.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Rewarded: NO
References:
CVE-2023–3198: [WordPress Plugin] MStore API ≤ 3.9.6 — Cross-Site Request Forgery to Order Status Update
Report Date: June 12, 2023
Vendor: InspireUI (https://inspireui.com/)
Product:
- MStore API (https://wordpress.org/plugins/mstore-api/)
Base Score: 4.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Rewarded: NO
References:
CVE-2023–3197: [WordPress Plugin] MStore API ≤ 3.9.6 — Unauthenticated SQL Injection
Report Date: June 12, 2023
Collaborators: An Đặng
Vendor: InspireUI (https://inspireui.com/)
Product:
- MStore API (https://wordpress.org/plugins/mstore-api/)
Base Score:
Vector:
Rewarded: NO
References:
June 09, 2023
CVE-2023–3170: [WordPress Theme] Newsmag ≤ 5.3 — Admin+ Stored Cross-Site Scripting
Report Date:
Vendor: tagDiv (https://tagdiv.com/)
Product:
Base Score:
Vector:
Rewarded: NO
References:
June 06, 2023
CVE-2023–3131: [WordPress Plugin] MStore API ≤ 3.9.5 — Subscriber+ Unauthorized Settings Update
Report Date: May 27, 2023
Vendor: InspireUI (https://inspireui.com/)
Product:
- MStore API (https://wordpress.org/plugins/mstore-api/)
Base Score:
Vector:
Rewarded: NO
References:
June 02, 2023
CVE-2023–3077: [WordPress Plugin] MStore API ≤ 3.9.5 — Unauthenticated Blind SQLi
Report Date: May 27, 2023
Vendor: InspireUI (https://inspireui.com/)
Product:
- MStore API (https://wordpress.org/plugins/mstore-api/)
Base Score:
Vector:
Rewarded: NO
References:
CVE-2023–3076: [WordPress Plugin] MStore API ≤ 3.9.5 — Unauthenticated Privilege Escalation
Report Date: May 31, 2023
Vendor: InspireUI (https://inspireui.com/)
Product:
- MStore API (https://wordpress.org/plugins/mstore-api/)
Base Score:
Vector:
Rewarded: NO
References:
March 23, 2023
CVE-2023–1596: [WordPress Plugin] tagDiv Composer < 4.0 — Reflected Cross-site Scripting (RXSS)
Report Date: March 22, 2023
Vendor: tagDiv (https://tagdiv.com/)
Product:
- Newspaper (https://themeforest.net/item/newspaper/5489609)
- Newsmag (https://themeforest.net/item/newsmag-news-magazine-newspaper/9512331)
- tagDiv Composer
Base Score: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Rewarded: NO
References:
CVE-2023–1597: tagDiv Cloud Library < 2.7 — Unauthenticated Arbitrary User Metadata Update to Privilege Escalation
Report Date: March 22, 2023
Vendor: tagDiv (https://tagdiv.com/)
Product:
- Newspaper (https://themeforest.net/item/newspaper/5489609)
- tagDiv Cloud Library
Base Score: 9.8 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Rewarded: NO
References:
December 29, 2022
CVE-2022-48160: Stock Manager Advance ≤ 3.4.54 — Reflected Cross-site Scripting (RXSS)
Report Date: December 26, 2022 (Tecdiary removed my PoC) / December 27, 2022 (MITRE)
Vendor: Tecdiary (https://tecdiary.net/)
Product:
- Stock Manager Advance with All Modules (https://tecdiary.net/products/stock-manager-advance-with-all-modules)
- Stock Manager Advance with Point of Sale Module (https://tecdiary.net/products/stock-manager-advance-with-point-of-sale-module)
- Stock Manager Advance (Invoice & Inventory System) (https://tecdiary.net/products/stock-manager-advance-invoice-inventory-system)
Base Score:
Vector:
Rewarded: NO
References:
December 15, 2022
CVE-2022–4522: PopCalendarXP / FlatCalendarXP < 10.0.2 — DOM-based Cross-site Scripting (DXSS)
Report Date: November 22, 2022
Vendor: CalendarXP (https://www.calendarxp.net/)
Product:
- PopCalendarXP (ipopeng.htm, npopeng.htm) < 10.0.2 (https://github.com/victorwon/calendarxp)
- FlatCalendarXP (iflateng.htm, nflateng.htm) < 10.0.2 (https://github.com/victorwon/calendarxp)
Base Score: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Rewarded: NO
References:
October 12, 2022
CVE-2022–3477: tagDiv Composer < 3.5 — Unauthorized Account Access and Privilege Escalation
Report Date: August 3, 2022 (reported to the vendor version 11.5.1 (Newspaper theme) and not fixed in version 12)
Vendor: tagDiv (https://tagdiv.com/)
Product:
- Newspaper (https://themeforest.net/item/newspaper/5489609)
- Newsmag (https://themeforest.net/item/newsmag-news-magazine-newspaper/9512331)
- tagDiv Composer
Base Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Rewarded: NO
References:
September 13, 2022
CVE-2022–3209: [WordPress Theme] Soledad < 8.2.5 — Reflected Cross-site Scripting (RXSS)
Report Date: August 11, 2022
Vendor: PenciDesign (http://soledad.pencidesign.com/)
Product: Soledad (https://themeforest.net/item/soledad-multiconcept-blogmagazine-wp-theme/12945398)
Base Score: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Rewarded: NO
References:
June 22, 2022
CVE-2022–2167: [WordPress Theme] Newspaper < 12 — Reflected Cross-Site Scripting (RXSS)
Report Date: June 18, 2022
Vendor: tagDiv (https://tagdiv.com/)
Product: Newspaper (https://themeforest.net/item/newspaper/5489609)
Base Score: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Rewarded: NO
References:
June 25, 2021
CVE-2021–24474: [WordPress Plugin] Awesome Weather Widget <= 3.0.2 - Reflected Cross-site Scripting (RXSS)
Report Date: May 04, 2021
Vendor: Hal Gatewood
Product: Awesome Weather Widget (https://wordpress.org/plugins/awesome-weather/)
Base Score: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Rewarded: NO
References:
June 11, 2021
CVE-2021–24407: [WordPress Theme] Jannah < 5.4.5 - Reflected Cross-Site Scripting (RXSS)
Report Date: June 09, 2021
Vendor: TieLabs (https://jannah.tielabs.com/)
Product: Jannah (https://themeforest.net/item/jannah-wordpress-news-magazine-theme/19659555)
Base Score: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Rewarded: NO
References:
June 10, 2021
CVE-2021–24389: [WordPress Theme] FoodBakery < 2.2 - Reflected Cross-Site Scripting (RXSS)
Report Date: May 31, 2021
Vendor: Chimpstudio
Product: FoodBakery (https://themeforest.net/item/food-bakery-restaurant-bakery-responsive-wordpress-theme/18970331)
Base Score: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Rewarded: NO
References:
May 31, 2021
CVE-2021–24364: [WordPress Theme] Jannah < 5.4.4 - Reflected Cross-Site Scripting (RXSS)
Report Date: May 29, 2021
Vendor: TieLabs (https://jannah.tielabs.com/)
Product: Jannah (https://themeforest.net/item/jannah-wordpress-news-magazine-theme/19659555)
Base Score: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Rewarded: NO
References:
May 24, 2021
CVE-2021–24342: [WordPress Theme] JNews < 8.0.6 - Reflected Cross-Site Scripting (RXSS)
Report Date: May 19, 2021
Vendor: jegtheme (https://jnews.io/)
Product: JNews (https://themeforest.net/item/jnews-one-stop-solution-for-web-publishing/20566392)
Base Score: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Rewarded: NO
References:
May 07, 2021
CVE-2021–3135: [WordPress Theme] Newspaper < 11 — Reflected Cross-Site Scripting (RXSS)
Report Date: April 24, 2021
Vendor: tagDiv (https://tagdiv.com/)
Product: Newspaper (https://themeforest.net/item/newspaper/5489609)
Base Score: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Rewarded: NO
References:
CVE-2021–24304: [WordPress Theme] Newsmag < 5.0 — Reflected Cross-site Scripting (RXSS)
Report Date: April 24, 2021
Vendor: tagDiv (https://tagdiv.com/)
Product: Newsmag (https://themeforest.net/item/newsmag-news-magazine-newspaper/9512331)
Base Score: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Rewarded: NO
References:
May 04, 2021
CVE-2021–24296: [WordPress Plugin] WP Customer Reviews < 3.5.6 - Authenticated Stored Cross-Site Scripting (SXSS)
Report Date: April 28, 2021
Vendor: Aaron Queen
Product: WP Customer Reviews (https://wordpress.org/plugins/wp-customer-reviews/)
Base Score: 4.8 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Rewarded: NO
References:
CVE-2021–24297: [WordPress Theme] Goto < 2.1 - Reflected Cross-Site Scripting (RXSS)
Report Date: April 28, 2021
Vendor: BoostifyThemes (https://boostifythemes.com/)
Product: Goto (https://themeforest.net/item/goto-tour-travel-wordpress-theme/21822828)
Base Score: 6.1 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Rewarded: NO
References: