Bricksforge
Monthly
Unauthenticated privilege escalation in the Bricksforge WordPress plugin (versions ≤ 3.1.8.6) lets remote attackers create a new administrator account by abusing the Pro Forms User Registration action. The plugin fails to validate the fieldIds parameter, so attacker-supplied field IDs are injected into the trusted form-field whitelist, enabling mass-assignment of a privileged role. No public exploit has been identified at time of analysis, but the flaw is trivially exploitable (CVSS 9.8) on any site exposing a Pro Forms registration element.
Unauthenticated sensitive data exposure in the Bricksforge WordPress plugin versions 3.1.8.4 and earlier allows remote attackers to retrieve confidential information without any credentials. The flaw, tracked under CWE-201 (Insertion of Sensitive Information Into Sent Data), carries a CVSS 3.1 score of 7.5 driven entirely by confidentiality impact, and no public exploit has been identified at time of analysis.
Missing Authorization vulnerability in Bricksforge.0.17. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in Bricksforge.0.17. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unauthenticated privilege escalation in the Bricksforge WordPress plugin (versions ≤ 3.1.8.6) lets remote attackers create a new administrator account by abusing the Pro Forms User Registration action. The plugin fails to validate the fieldIds parameter, so attacker-supplied field IDs are injected into the trusted form-field whitelist, enabling mass-assignment of a privileged role. No public exploit has been identified at time of analysis, but the flaw is trivially exploitable (CVSS 9.8) on any site exposing a Pro Forms registration element.
Unauthenticated sensitive data exposure in the Bricksforge WordPress plugin versions 3.1.8.4 and earlier allows remote attackers to retrieve confidential information without any credentials. The flaw, tracked under CWE-201 (Insertion of Sensitive Information Into Sent Data), carries a CVSS 3.1 score of 7.5 driven entirely by confidentiality impact, and no public exploit has been identified at time of analysis.
Missing Authorization vulnerability in Bricksforge.0.17. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in Bricksforge.0.17. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.