WordPress Plugin Vulnerabilities

IgniteUp < 3.4.1 - Multiple Issues

Description

All issues can be triggered by unauthenticated users:

- Arbitrary File Deletion
- HTML injection & CSRF in email messages
- Stored Cross-Site Scripting
- Disclosure of subscribers' email address
- Arbitrary subscriber deletion
- Arbitrary plugin’s template switch

Affects Plugins

Plugin icon
igniteup
Fixed in 3.4.1

References

CVE
CVE-2019-17234
CVE
CVE-2019-17235
CVE
CVE-2019-17236
CVE
CVE-2019-17237
URL
https://blog.nintechnet.com/multiple-vulnerabilities-in-wordpress-igniteup-coming-soon-and-maintenance-mode-plugin/

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
No
WPVDB ID
b4159c47-de75-441b-9c25-2c0b74544a39

Timeline

Publicly Published
2019-11-10 (about 6 years ago)
Added
2019-11-10 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2014-08-01
Title
Comment Rating 2.9.32 - Security Bypass Weakness & SQL Injection
Published
2016-12-14
Title
Podlove Podcast Publisher <= 2.3.15 - Multiple SQLi & XSS
Published
2019-02-13
Title
Online Accessibility <= 2.0.10 - CSRF and lack of Authorisation in AJAX methods
Published
2019-09-08
Title
Photo Gallery by 10Web < 1.5.35 - SQL Injection & XSS
Published
2019-06-10
Title
Attendance Manager <= 0.5.6 - CSRF & XSS