Search
Find a vulnerability
Search criteria
3 vulnerabilities by getastra
CVE-2024-6641 (GCVE-0-2024-6641)
Vulnerability from cvelistv5 – Published: 2024-09-18 05:31 – Updated: 2026-04-08 17:02
VLAI
Title
WP Hardening – Fix Your WordPress Security <= 1.2.6 - Unauthenticated Security Feature Bypass to Username Enumeration
Summary
The WP Hardening – Fix Your WordPress Security plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 1.2.6. This is due to use of an incorrect regular expression within the "Stop User Enumeration" feature. This makes it possible for unauthenticated attackers to bypass intended security restrictions and expose site usernames.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-185 - Incorrect Regular Expression
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| astrasecuritysuite | WP Hardening (discontinued) |
Affected:
0 , ≤ 1.2.6
(semver)
|
|
| getastra | wp_hardening |
Affected:
0 , ≤ 1.2.6
(semver)
cpe:2.3:a:getastra:wp_hardening:*:*:*:*:*:wordpress:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:getastra:wp_hardening:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "wp_hardening",
"vendor": "getastra",
"versions": [
{
"lessThanOrEqual": "1.2.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6641",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-18T15:01:44.858232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T15:04:25.453Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Hardening (discontinued)",
"vendor": "astrasecuritysuite",
"versions": [
{
"lessThanOrEqual": "1.2.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Felipe Caon"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Hardening \u2013 Fix Your WordPress Security plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 1.2.6. This is due to use of an incorrect regular expression within the \"Stop User Enumeration\" feature. This makes it possible for unauthenticated attackers to bypass intended security restrictions and expose site usernames."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-185",
"description": "CWE-185 Incorrect Regular Expression",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:02:20.677Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a52a278-1729-4027-8a00-e9804fa6698b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3151308/wp-security-hardening"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-10T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-09-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Hardening \u2013 Fix Your WordPress Security \u003c= 1.2.6 - Unauthenticated Security Feature Bypass to Username Enumeration"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6641",
"datePublished": "2024-09-18T05:31:13.844Z",
"dateReserved": "2024-07-10T00:52:55.526Z",
"dateUpdated": "2026-04-08T17:02:20.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24373 (GCVE-0-2021-24373)
Vulnerability from cvelistv5 – Published: 2021-06-21 19:18 – Updated: 2024-08-03 19:28
VLAI
Title
WP Hardening < 1.2.2 - Reflected XSS via historyvalue
Summary
The WP Hardening – Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the historyvalue GET parameter before outputting it in a Javascript block, leading to a reflected Cross-Site Scripting issue.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/fcf17278-609f-4f… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | WP Hardening – Fix Your WordPress Security |
Affected:
1.2.2 , < 1.2.2
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.763Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/fcf17278-609f-4f75-8a87-9b4579dee1c8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Hardening \u2013 Fix Your WordPress Security",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.2.2",
"status": "affected",
"version": "1.2.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "dc11"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Hardening \u2013 Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the historyvalue GET parameter before outputting it in a Javascript block, leading to a reflected Cross-Site Scripting issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-21T19:18:20.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/fcf17278-609f-4f75-8a87-9b4579dee1c8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WP Hardening \u003c 1.2.2 - Reflected XSS via historyvalue",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24373",
"STATE": "PUBLIC",
"TITLE": "WP Hardening \u003c 1.2.2 - Reflected XSS via historyvalue"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Hardening \u2013 Fix Your WordPress Security",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.2.2",
"version_value": "1.2.2"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "dc11"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WP Hardening \u2013 Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the historyvalue GET parameter before outputting it in a Javascript block, leading to a reflected Cross-Site Scripting issue."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/fcf17278-609f-4f75-8a87-9b4579dee1c8",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/fcf17278-609f-4f75-8a87-9b4579dee1c8"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24373",
"datePublished": "2021-06-21T19:18:20.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:23.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24372 (GCVE-0-2021-24372)
Vulnerability from cvelistv5 – Published: 2021-06-21 19:18 – Updated: 2024-08-03 19:28
VLAI
Title
WP Hardening < 1.2.2 - Reflected XSS via URI
Summary
The WP Hardening – Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the $_SERVER['REQUEST_URI'] before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue.
Severity
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/5340ae4e-95ba-4a… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | WP Hardening – Fix Your WordPress Security |
Affected:
1.2.2 , < 1.2.2
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.783Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/5340ae4e-95ba-4a69-beb1-3459cac17782"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Hardening \u2013 Fix Your WordPress Security",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.2.2",
"status": "affected",
"version": "1.2.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "dc11"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Hardening \u2013 Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the $_SERVER[\u0027REQUEST_URI\u0027] before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-21T19:18:19.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/5340ae4e-95ba-4a69-beb1-3459cac17782"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WP Hardening \u003c 1.2.2 - Reflected XSS via URI",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24372",
"STATE": "PUBLIC",
"TITLE": "WP Hardening \u003c 1.2.2 - Reflected XSS via URI"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Hardening \u2013 Fix Your WordPress Security",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.2.2",
"version_value": "1.2.2"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "dc11"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WP Hardening \u2013 Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the $_SERVER[\u0027REQUEST_URI\u0027] before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/5340ae4e-95ba-4a69-beb1-3459cac17782",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/5340ae4e-95ba-4a69-beb1-3459cac17782"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24372",
"datePublished": "2021-06-21T19:18:19.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:23.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}