Clean Login
Monthly
Insecure direct object reference in the Clean Login WordPress plugin versions 1.15 and earlier allows remote unauthenticated attackers to manipulate object identifiers to modify data they should not control and to disrupt plugin-managed functionality. The flaw is reported by Patchstack and tagged as an authentication bypass affecting Alberto Hornero's Clean Login plugin, with no public exploit identified at time of analysis. CVSS 3.1 rates it 8.2 due to the network-reachable, no-privileges, no-interaction vector with limited integrity impact and high availability impact.
The Clean Login plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.14.5 via the 'template' attribute of the clean-login-register shortcode. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
CSRF in the Clean Login plugin before 1.8 for WordPress allows remote attackers to change the login redirect URL or logout redirect URL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Insecure direct object reference in the Clean Login WordPress plugin versions 1.15 and earlier allows remote unauthenticated attackers to manipulate object identifiers to modify data they should not control and to disrupt plugin-managed functionality. The flaw is reported by Patchstack and tagged as an authentication bypass affecting Alberto Hornero's Clean Login plugin, with no public exploit identified at time of analysis. CVSS 3.1 rates it 8.2 due to the network-reachable, no-privileges, no-interaction vector with limited integrity impact and high availability impact.
The Clean Login plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.14.5 via the 'template' attribute of the clean-login-register shortcode. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
CSRF in the Clean Login plugin before 1.8 for WordPress allows remote attackers to change the login redirect URL or logout redirect URL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.