cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2023-2171,https://securityvulnerability.io/vulnerability/CVE-2023-2171,Stored Cross-Site Scripting Vulnerability in BadgeOS Plugin by WordPress,"The BadgeOS plugin for WordPress is susceptible to stored cross-site scripting due to inadequate input sanitization and output escaping on user-supplied attributes within its shortcodes. This vulnerability allows authenticated users with contributor-level permissions or higher to inject malicious scripts. These scripts can execute automatically when other users visit the affected pages, potentially compromising the site's integrity and the security of its users.",Wordpress,BadgeOS,5.4,MEDIUM,0.0004799999878741801,false,,false,false,false,,false,false,2023-08-31T06:15:00.000Z,0
CVE-2023-2172,https://securityvulnerability.io/vulnerability/CVE-2023-2172,Insecure Direct Object Reference in BadgeOS Plugin for WordPress,"The BadgeOS plugin for WordPress is susceptible to Insecure Direct Object Reference due to insufficient validation and authorization checks in several functions. This allows authenticated users with subscriber-level access or higher to manipulate post titles illegitimately. The vulnerability exists in version 3.7.1.6 and earlier, where functions such as badgeos_update_steps_ajax_handler and others fail to adequately restrict access, exposing the system to potential misuse.",Wordpress,Badgeos,4.3,MEDIUM,0.00046999999904073775,false,,false,false,false,,false,false,2023-08-31T06:15:00.000Z,0
CVE-2023-2174,https://securityvulnerability.io/vulnerability/CVE-2023-2174,Unauthorized Data Modification in BadgeOS Plugin for WordPress,"The BadgeOS plugin for WordPress contains a vulnerability that allows unauthorized modification of data. Due to a missing capability check in the delete_badgeos_log_entries function, authenticated attackers with subscriber-level permissions can delete log entries. This poses a significant risk as attackers may manipulate critical data, undermining the integrity of the plugin's functionalities. Users are advised to update to the latest version or apply necessary security measures to mitigate this risk.",Wordpress,Badgeos,4.3,MEDIUM,0.0004799999878741801,false,,false,false,false,,false,false,2023-08-31T06:15:00.000Z,0
CVE-2023-2173,https://securityvulnerability.io/vulnerability/CVE-2023-2173,Insecure Direct Object Reference in BadgeOS Plugin for WordPress,"The BadgeOS plugin for WordPress exhibits a significant security vulnerability that arises from inadequate validation and authorization checks in several critical functions. Specifically, versions up to and including 3.7.1.6 allow authenticated users, even those with subscriber-level permissions, to potentially delete arbitrary posts. This flaw stems from functions that handle Ajax requests, making it imperative for users and site administrators to update to the latest version to mitigate risks associated with unauthorized data manipulation.",Wordpress,Badgeos,6.5,MEDIUM,0.0007099999929778278,false,,false,false,false,,false,false,2023-08-31T06:15:00.000Z,0
CVE-2022-2958,https://securityvulnerability.io/vulnerability/CVE-2022-2958,BadgeOS < 3.7.1.3 - Subscriber+ SQLi,"The BadgeOS WordPress plugin before 3.7.1.3 does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections",Wordpress,Badgeos,8.8,HIGH,0.0011399999493733048,false,,false,false,false,,false,false,2022-09-19T14:01:05.000Z,0
CVE-2022-0817,https://securityvulnerability.io/vulnerability/CVE-2022-0817,BadgeOS <= 3.7.0 - Unauthenticated SQLi,"The BadgeOS WordPress plugin through 3.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users",Wordpress,Badgeos,9.8,CRITICAL,0.07494000345468521,false,,false,false,false,,false,false,2022-05-09T16:50:34.000Z,0