Search criteria
4 vulnerabilities found for WP Remote Users Sync by frogerme
CVE-2023-4374 (GCVE-0-2023-4374)
Vulnerability from nvd – Published: 2023-08-16 04:36 – Updated: 2026-04-08 16:44
VLAI
Title
WP Remote Users Sync <= 1.2.11 - Missing Authorization to Authenticated (Subscriber+) Log View
Summary
The WP Remote Users Sync plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'refresh_logs_async' functions in versions up to, and including, 1.2.11. This makes it possible for authenticated attackers with subscriber privileges or above, to view logs.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| frogerme | WP Remote Users Sync |
Affected:
0 , ≤ 1.2.11
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:24:04.791Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e87cfc4-8e7c-47d6-80fc-9c293cdd8acb?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-remote-users-sync/trunk/inc/class-wprus-logger.php#L117"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2946667/wp-remote-users-sync#file130"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:28:41.921865Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:35:47.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Remote Users Sync",
"vendor": "frogerme",
"versions": [
{
"lessThanOrEqual": "1.2.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Remote Users Sync plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the \u0027refresh_logs_async\u0027 functions in versions up to, and including, 1.2.11. This makes it possible for authenticated attackers with subscriber privileges or above, to view logs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:44:26.087Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e87cfc4-8e7c-47d6-80fc-9c293cdd8acb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-remote-users-sync/trunk/inc/class-wprus-logger.php#L117"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2946667/wp-remote-users-sync#file130"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-08-01T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-08-01T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-08-15T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Remote Users Sync \u003c= 1.2.11 - Missing Authorization to Authenticated (Subscriber+) Log View"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4374",
"datePublished": "2023-08-16T04:36:01.177Z",
"dateReserved": "2023-08-15T15:36:00.226Z",
"dateUpdated": "2026-04-08T16:44:26.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-3958 (GCVE-0-2023-3958)
Vulnerability from nvd – Published: 2023-08-16 04:36 – Updated: 2026-04-08 16:44
VLAI
Title
WP Remote Users Sync <= 1.2.12 - Authenticated (Subscriber+) Server Side Request Forgery
Summary
The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the 'notify_ping_remote' AJAX function in versions up to, and including, 1.2.12. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. This was partially patched in version 1.2.12 and fully patched in version 1.2.13.
Severity
8.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| frogerme | WP Remote Users Sync |
Affected:
0 , ≤ 1.2.12
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e78c759-4a54-4ee4-8eff-df91fe9dad46?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-remote-users-sync/trunk/inc/api/class-wprus-api-abstract.php#L674"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2946667/wp-remote-users-sync#file127"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2953845/wp-remote-users-sync#file0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:28:44.733030Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:35:54.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Remote Users Sync",
"vendor": "frogerme",
"versions": [
{
"lessThanOrEqual": "1.2.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the \u0027notify_ping_remote\u0027 AJAX function in versions up to, and including, 1.2.12. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. This was partially patched in version 1.2.12 and fully patched in version 1.2.13."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:44:24.049Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e78c759-4a54-4ee4-8eff-df91fe9dad46?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-remote-users-sync/trunk/inc/api/class-wprus-api-abstract.php#L674"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2946667/wp-remote-users-sync#file127"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2953845/wp-remote-users-sync#file0"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-07-24T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-07-24T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-08-15T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Remote Users Sync \u003c= 1.2.12 - Authenticated (Subscriber+) Server Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-3958",
"datePublished": "2023-08-16T04:36:00.625Z",
"dateReserved": "2023-07-26T18:07:16.600Z",
"dateUpdated": "2026-04-08T16:44:24.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-4374 (GCVE-0-2023-4374)
Vulnerability from cvelistv5 – Published: 2023-08-16 04:36 – Updated: 2026-04-08 16:44
VLAI
Title
WP Remote Users Sync <= 1.2.11 - Missing Authorization to Authenticated (Subscriber+) Log View
Summary
The WP Remote Users Sync plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'refresh_logs_async' functions in versions up to, and including, 1.2.11. This makes it possible for authenticated attackers with subscriber privileges or above, to view logs.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| frogerme | WP Remote Users Sync |
Affected:
0 , ≤ 1.2.11
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:24:04.791Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e87cfc4-8e7c-47d6-80fc-9c293cdd8acb?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-remote-users-sync/trunk/inc/class-wprus-logger.php#L117"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2946667/wp-remote-users-sync#file130"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4374",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:28:41.921865Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:35:47.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Remote Users Sync",
"vendor": "frogerme",
"versions": [
{
"lessThanOrEqual": "1.2.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Remote Users Sync plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the \u0027refresh_logs_async\u0027 functions in versions up to, and including, 1.2.11. This makes it possible for authenticated attackers with subscriber privileges or above, to view logs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:44:26.087Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e87cfc4-8e7c-47d6-80fc-9c293cdd8acb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-remote-users-sync/trunk/inc/class-wprus-logger.php#L117"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2946667/wp-remote-users-sync#file130"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-08-01T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-08-01T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-08-15T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Remote Users Sync \u003c= 1.2.11 - Missing Authorization to Authenticated (Subscriber+) Log View"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-4374",
"datePublished": "2023-08-16T04:36:01.177Z",
"dateReserved": "2023-08-15T15:36:00.226Z",
"dateUpdated": "2026-04-08T16:44:26.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-3958 (GCVE-0-2023-3958)
Vulnerability from cvelistv5 – Published: 2023-08-16 04:36 – Updated: 2026-04-08 16:44
VLAI
Title
WP Remote Users Sync <= 1.2.12 - Authenticated (Subscriber+) Server Side Request Forgery
Summary
The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the 'notify_ping_remote' AJAX function in versions up to, and including, 1.2.12. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. This was partially patched in version 1.2.12 and fully patched in version 1.2.13.
Severity
8.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| frogerme | WP Remote Users Sync |
Affected:
0 , ≤ 1.2.12
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:08:50.691Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e78c759-4a54-4ee4-8eff-df91fe9dad46?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-remote-users-sync/trunk/inc/api/class-wprus-api-abstract.php#L674"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2946667/wp-remote-users-sync#file127"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2953845/wp-remote-users-sync#file0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T18:28:44.733030Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T19:35:54.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Remote Users Sync",
"vendor": "frogerme",
"versions": [
{
"lessThanOrEqual": "1.2.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the \u0027notify_ping_remote\u0027 AJAX function in versions up to, and including, 1.2.12. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. This was partially patched in version 1.2.12 and fully patched in version 1.2.13."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:44:24.049Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e78c759-4a54-4ee4-8eff-df91fe9dad46?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-remote-users-sync/trunk/inc/api/class-wprus-api-abstract.php#L674"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2946667/wp-remote-users-sync#file127"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2953845/wp-remote-users-sync#file0"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-07-24T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-07-24T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-08-15T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Remote Users Sync \u003c= 1.2.12 - Authenticated (Subscriber+) Server Side Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-3958",
"datePublished": "2023-08-16T04:36:00.625Z",
"dateReserved": "2023-07-26T18:07:16.600Z",
"dateUpdated": "2026-04-08T16:44:24.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}