Security Vulnerabilities - CVEs Published In November 2022
Cleartext Transmission of Sensitive Information vulnerability due to the use of Basic Authentication for HTTP connections in Mitsubishi Electric consumer electronics products (PHOTOVOLTAIC COLOR MONITOR ECO-GUIDE, HEMS adapter, Wi-Fi Interface, Air Conditioning, Induction hob, Mitsubishi Electric HEMS Energy Measurement Unit, Refrigerator, Remote control with Wi-Fi Interface, BATHROOM THERMO VENTILATOR, Rice cooker, Mitsubishi Electric HEMS control adapter, Energy Recovery Ventilator, Smart Switch, Ventilating Fan, Range hood fan, Energy Measurement Unit and Air Purifier) allows a remote unauthenticated attacker to disclose information in the products or cause a denial of service (DoS) condition as a result by sniffing credential information (username and password).
The wide range of models/versions of Mitsubishi Electric consumer electronics products are affected by this vulnerability.
As for the affected product models/versions, see the Mitsubishi Electric's advisory which is listed in [References] section.
CVSS Score
9.8
EPSS Score
0.007
Published
2022-11-08
Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site Scripting (XSS) in David Anderson Testimonial Slider plugin <= 1.3.1 on WordPress.
CVSS Score
6.1
EPSS Score
0.001
Published
2022-11-08
Cross-Site Request Forgery (CSRF) vulnerability in Advanced Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress leading to notice dismissal.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-11-08
Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress leading to plugin settings import.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-11-08
Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Mantenimiento web plugin <= 0.13 on WordPress.
CVSS Score
4.8
EPSS Score
0.001
Published
2022-11-08
Server Side Request Forgery (SSRF) vulnerability in All in One SEO Pro plugin <= 4.2.5.1 on WordPress.
CVSS Score
3.0
EPSS Score
0.003
Published
2022-11-08
Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 on WordPress leading to topic deletion.
CVSS Score
5.4
EPSS Score
0.001
Published
2022-11-08
Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS) in Vladimir Anokhin's Shortcodes Ultimate plugin <= 5.12.0 on WordPress.
CVSS Score
6.1
EPSS Score
0.001
Published
2022-11-08
Insecure direct object references (IDOR) vulnerability in the wpForo Forum plugin <= 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public.
CVSS Score
6.3
EPSS Score
0.001
Published
2022-11-08
Nonce token leakage and missing authorization in SearchWP premium plugin <= 4.2.5 on WordPress leading to plugin settings change.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-11-08