Search criteria
3 vulnerabilities by verygoodplugins
CVE-2023-7202 (GCVE-0-2023-7202)
Vulnerability from cvelistv5 – Published: 2024-02-27 08:30 – Updated: 2024-10-28 00:09
VLAI
Title
Fatal Error Notify < 1.5.3 - Subscriber+ Test Error Email Sending
Summary
The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF
Severity
6.1 (Medium)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/d923ba5b-1c20-40… | exploitvdb-entrytechnical-description |
| https://research.cleantalk.org/cve-2023-7202-fata… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | Fatal Error Notify |
Affected:
0 , < 1.5.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-7202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-27T14:33:53.033931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T00:09:36.117Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:57:35.020Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/d923ba5b-1c20-40ee-ac69-cd0bb65b375a/"
},
{
"tags": [
"x_transferred"
],
"url": "https://research.cleantalk.org/cve-2023-7202-fatal-error-notify-error-email-sending-csrf/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Fatal Error Notify",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.5.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T08:30:23.406Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/d923ba5b-1c20-40ee-ac69-cd0bb65b375a/"
},
{
"url": "https://research.cleantalk.org/cve-2023-7202-fatal-error-notify-error-email-sending-csrf/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Fatal Error Notify \u003c 1.5.3 - Subscriber+ Test Error Email Sending",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-7202",
"datePublished": "2024-02-27T08:30:23.406Z",
"dateReserved": "2024-01-03T12:33:57.206Z",
"dateUpdated": "2024-10-28T00:09:36.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-34660 (GCVE-0-2021-34660)
Vulnerability from cvelistv5 – Published: 2021-08-09 12:23 – Updated: 2025-05-23 20:11
VLAI
Title
WP Fusion Lite <= 3.37.18 Reflected Cross-Site Scripting
Summary
The WP Fusion Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the startdate parameter found in the ~/includes/admin/logging/class-log-table-list.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.37.18.
Severity
6.1 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.wordfence.com/vulnerability-advisorie… | x_refsource_MISC |
| https://plugins.trac.wordpress.org/browser/wp-fus… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Very Good Plugins | WP Fusion Lite |
Affected:
3.37.18 , ≤ 3.37.18
(custom)
|
Date Public
2021-08-06 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:19:47.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34660"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-fusion-lite/trunk/includes/admin/logging/class-log-table-list.php?rev=2497097#L427"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-34660",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T20:10:57.237514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T20:11:00.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WP Fusion Lite",
"vendor": "Very Good Plugins",
"versions": [
{
"lessThanOrEqual": "3.37.18",
"status": "affected",
"version": "3.37.18",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Xu-Liang Liao"
}
],
"datePublic": "2021-08-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The WP Fusion Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the startdate parameter found in the ~/includes/admin/logging/class-log-table-list.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.37.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-09T12:23:26.000Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34660"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-fusion-lite/trunk/includes/admin/logging/class-log-table-list.php?rev=2497097#L427"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 3.37.30 or newer of the plugin."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WP Fusion Lite \u003c= 3.37.18 Reflected Cross-Site Scripting",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Wordfence",
"ASSIGNER": "security@wordfence.com",
"DATE_PUBLIC": "2021-08-06T17:51:00.000Z",
"ID": "CVE-2021-34660",
"STATE": "PUBLIC",
"TITLE": "WP Fusion Lite \u003c= 3.37.18 Reflected Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Fusion Lite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.37.18",
"version_value": "3.37.18"
}
]
}
}
]
},
"vendor_name": "Very Good Plugins"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Xu-Liang Liao"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WP Fusion Lite WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the startdate parameter found in the ~/includes/admin/logging/class-log-table-list.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.37.18."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34660",
"refsource": "MISC",
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34660"
},
{
"name": "https://plugins.trac.wordpress.org/browser/wp-fusion-lite/trunk/includes/admin/logging/class-log-table-list.php?rev=2497097#L427",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/browser/wp-fusion-lite/trunk/includes/admin/logging/class-log-table-list.php?rev=2497097#L427"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 3.37.30 or newer of the plugin."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2021-34660",
"datePublished": "2021-08-09T12:23:26.100Z",
"dateReserved": "2021-06-10T00:00:00.000Z",
"dateUpdated": "2025-05-23T20:11:00.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-34661 (GCVE-0-2021-34661)
Vulnerability from cvelistv5 – Published: 2021-08-09 12:23 – Updated: 2025-05-23 20:11
VLAI
Title
WP Fusion Lite <= 3.37.18 Cross-Site Request Forgery to Data Deletion
Summary
The WP Fusion Lite WordPress plugin is vulnerable to Cross-Site Request Forgery via the `show_logs_section` function found in the ~/includes/admin/logging/class-log-handler.php file which allows attackers to drop all logs for the plugin, in versions up to and including 3.37.18.
Severity
6.1 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.wordfence.com/vulnerability-advisorie… | x_refsource_MISC |
| https://plugins.trac.wordpress.org/browser/wp-fus… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Very Good Plugins | WP Fusion Lite |
Affected:
3.37.18 , ≤ 3.37.18
(custom)
|
Date Public
2021-08-06 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:19:47.864Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34661"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-fusion-lite/trunk/includes/admin/logging/class-log-handler.php?rev=2533608#L302"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-34661",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T20:11:15.622012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T20:11:24.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WP Fusion Lite",
"vendor": "Very Good Plugins",
"versions": [
{
"lessThanOrEqual": "3.37.18",
"status": "affected",
"version": "3.37.18",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Xu-Liang Liao"
}
],
"datePublic": "2021-08-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The WP Fusion Lite WordPress plugin is vulnerable to Cross-Site Request Forgery via the `show_logs_section` function found in the ~/includes/admin/logging/class-log-handler.php file which allows attackers to drop all logs for the plugin, in versions up to and including 3.37.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-09T12:23:20.000Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34661"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://plugins.trac.wordpress.org/browser/wp-fusion-lite/trunk/includes/admin/logging/class-log-handler.php?rev=2533608#L302"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 3.37.30 or newer of the plugin."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WP Fusion Lite \u003c= 3.37.18 Cross-Site Request Forgery to Data Deletion",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Wordfence",
"ASSIGNER": "security@wordfence.com",
"DATE_PUBLIC": "2021-08-06T17:51:00.000Z",
"ID": "CVE-2021-34661",
"STATE": "PUBLIC",
"TITLE": "WP Fusion Lite \u003c= 3.37.18 Cross-Site Request Forgery to Data Deletion"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Fusion Lite",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "3.37.18",
"version_value": "3.37.18"
}
]
}
}
]
},
"vendor_name": "Very Good Plugins"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Xu-Liang Liao"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WP Fusion Lite WordPress plugin is vulnerable to Cross-Site Request Forgery via the `show_logs_section` function found in the ~/includes/admin/logging/class-log-handler.php file which allows attackers to drop all logs for the plugin, in versions up to and including 3.37.18."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34661",
"refsource": "MISC",
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34661"
},
{
"name": "https://plugins.trac.wordpress.org/browser/wp-fusion-lite/trunk/includes/admin/logging/class-log-handler.php?rev=2533608#L302",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/browser/wp-fusion-lite/trunk/includes/admin/logging/class-log-handler.php?rev=2533608#L302"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 3.37.30 or newer of the plugin."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2021-34661",
"datePublished": "2021-08-09T12:23:20.384Z",
"dateReserved": "2021-06-10T00:00:00.000Z",
"dateUpdated": "2025-05-23T20:11:24.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}