Vulnerabilities and security researches forbetter-wp-security better-wp-security
Direction: ascendingJun 07, 2024
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # CVE-2018-12636
- CVE, Research URL
- Home page URL
- Date
- Jun 22, 2018
- Research Description
- The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page.
- Affected versions
-
max 7.0.3.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # CVE-2012-4264
- CVE, Research URL
- Home page URL
- Date
- Aug 14, 2012
- Research Description
- Multiple cross-site scripting (XSS) vulnerabilities in the Better WP Security (better_wp_security) plugin before 3.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "server variables," a different vulnerability than CVE-2012-4263.
- Affected versions
-
max 3.2.5.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # CVE-2020-36176
- CVE, Research URL
- Home page URL
- Date
- Jan 06, 2021
- Research Description
- The iThemes Security (formerly Better WP Security) plugin before 7.7.0 for WordPress does not enforce a new-password requirement for an existing account until the second login occurs.
- Affected versions
-
max 7.7.0.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # CVE-2012-4263
- CVE, Research URL
- Home page URL
- Date
- Aug 14, 2012
- Research Description
- Cross-site scripting (XSS) vulnerability in inc/admin/content.php in the Better WP Security (better_wp_security) plugin before 3.2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the HTTP_USER_AGENT header.
- Affected versions
-
max 3.2.5.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # CVE-2018-7433
- CVE, Research URL
- Home page URL
- Date
- Mar 03, 2018
- Research Description
- The iThemes Security plugin before 6.9.1 for WordPress does not properly perform data escaping for the logs page.
- Affected versions
-
max 6.9.1.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # CVE-2023-28786
- CVE, Research URL
- Home page URL
- Date
- Dec 29, 2023
- Research Description
- URL Redirection to Untrusted Site ('Open Redirect') vulnerability in SolidWP Solid Security – Password, Two Factor Authentication, and Brute Force Protection.This issue affects Solid Security – Password, Two Factor Authentication, and Brute Force Protection: from n/a through 8.1.4.
- Affected versions
-
max 8.1.5.
- Status
-
vulnerable
Jun 24, 2024
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # CVE-2022-44593
- CVE, Research URL
- Home page URL
- Date
- Jun 21, 2024
- Research Description
- Use of Less Trusted Source vulnerability in SolidWP Solid Security allows HTTP DoS.This issue affects Solid Security: from n/a through 9.3.1.
- Affected versions
-
max 9.3.2.
- Status
-
vulnerable
May 29, 2025
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # PSC-2025-64574
- PSC, Research URL
- Home page URL
- Date
- May 29, 2025
- Research Description
- Solid Security – Password, Two Factor Authentication, and Brute Force Protection is a comprehensive WordPress security plugin designed to protect websites from the most common and dangerous cyber threats. With a proactive security strategy, this plugin guards against brute force attacks, malware infections, session hijacking, and unauthorized logins. Built to adapt to various types of websites – from eCommerce to blogs – Solid Security provides real-time monitoring, intelligent user-level protection, and automated vulnerability patching. The plugin has undergone a detailed security audit and successfully received the Plugin Security Certification (PSC) from CleanTalk, guaranteeing robust code integrity and secure implementation practices for WordPress environments.
- Affected versions
-
Min 10.0.1, max 10.0.1.
- Status
-
SAFE & CERTIFIED
Jun 16, 2026
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # fe0d8d89afc6b4fb2cf1cfc23bcb53cd852e8e29
- CVE, Research URL
- Home page URL
- Date
- Oct 06, 2016
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 5.6.2 WordPress iThemes Security Plugin <= 5.6.1 - Stored XSS Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
- Affected versions
-
max 5.6.2.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 8a40e42f5133edf9e9ecaab9dd44f5ef21ec4af8
- CVE, Research URL
- Home page URL
- Date
- Apr 25, 2016
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 5.3.6 WordPress iThemes Security Plugin <= 5.3.5 - Bypass This plugin is prone to lack of capability check vulnerability. It allows anyone “fake click” on this button, hiding the changes to the administrator. Update the plugin.
- Affected versions
-
max 5.3.6.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 6912bc9c8575d8f0f4c7d41ca8c085751d5b703b
- CVE, Research URL
- Home page URL
- Date
- Apr 21, 2021
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 7.9.1 WordPress iThemes Security plugin <= 7.9.0 - Hide Backend Bypass vulnerability Hide Backend Bypass vulnerability discovered by Julio Potier (SecuPress) in WordPress iThemes Security plugin (versions <= 7.9.0).
- Affected versions
-
max 7.9.1.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 4b5f8c2cfae2c6bce6f48b9e25ef461b66430307
- CVE, Research URL
- Home page URL
- Date
- May 15, 2015
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 3.6.4 WordPress Better WP Security Plugin <= 3.6.3 - Stored XSS This plugin is prone to /wp-admin/admin-ajax.php license parameter stored XSS weakness. Upgrade the plugin.
- Affected versions
-
max 3.6.4.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # b01671ba-c974-4fff-a684-dbd8cc265996
- CVE, Research URL
- Home page URL
- Date
- -
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 5.6.2 iThemes Security <= 5.6.1 - Unauthenticated Stored Cross-Site Scripting (XSS) The 404 detection module needs to be enabled.
- Affected versions
-
max 5.6.2.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 543cfd53aafbf580a08f01a9a3e1b540bf468cfd
- CVE, Research URL
- Home page URL
- Date
- Apr 22, 2016
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 5.3.1 WordPress iThemes Security Plugin <= 5.3.0 - Bypass This plugin is prone to insecure backup and logfile generation vulnerability. Update the plugin.
- Affected versions
-
max 5.3.1.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # afc2b84371636110d5d0c55d0ddc1ff0f40ba585
- CVE, Research URL
- Home page URL
- Date
- Apr 05, 2016
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 5.3.5 WordPress iThemes Security Plugin <= 5.3.4 - DOM XSS This plugin is prone to potential authenticated DOM cross site scripting vulnerability. Update the plugin.
- Affected versions
-
max 5.3.5.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 4a6112e7251ad56045e97df2deef9605c7cf135b
- CVE, Research URL
- Home page URL
- Date
- May 15, 2015
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 3.5.6 WordPress Better WP Security Plugin <= 3.5.5 - Stored XSS This plugin is prone to inc/admin/content.php id_specialfile parameter stored cross site scripting vulnerability. Update the plugin.
- Affected versions
-
max 3.5.6.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 52d6cd29ec3b567ca89fea4101575aede0c05297
- CVE, Research URL
- Home page URL
- Date
- May 15, 2015
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 4.0.0 WordPress Better WP Security Plugin <= 3.6.3 - XSS This plugin is prone to online backup storage current_time function brute force disclosure vulnerability. Upgrade the plugin.
- Affected versions
-
max 4.0.0.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # c951364e-e6a4-40fa-9001-741a386c9825
- CVE, Research URL
- Home page URL
- Date
- -
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 5.3.6 iThemes Security <= 5.3.5 - Lack of Capability Check The iThemes Security (formerly Better WP Security) WordPress plugin was affected by a Lack of Capability Check security vulnerability.
- Affected versions
-
max 5.3.6.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 99784e81-8085-4da4-a1a4-bd64d9437c55
- CVE, Research URL
- Home page URL
- Date
- -
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 5.3.1 iThemes Security <= 5.3.0 - Insecure Backup/Logfile Generation The iThemes Security (formerly Better WP Security) WordPress plugin was affected by an Insecure Backup/Logfile Generation security vulnerability.
- Affected versions
-
max 5.3.1.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # ae0e40ba1d6d102429e879fe3061c51d06391356
- CVE, Research URL
- Home page URL
- Date
- Oct 18, 2015
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 4.6.13 WordPress iThemes Security Plugin <= 4.6.12 - Stored XSS Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
- Affected versions
-
max 4.6.13.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 1c7e52909769ef9360123c410f8346105889d13a
- CVE, Research URL
- Home page URL
- Date
- May 15, 2015
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 3.4.4 WordPress Better WP Security Plugin <= 3.4.3 - Multiple XSS Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
- Affected versions
-
max 3.4.4.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 55fe42ef-eba4-4992-bbc0-ebbe5abf63a1
- CVE, Research URL
- Home page URL
- Date
- -
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 5.3.5 iThemes Security <= 5.3.4 - Potential Authenticated DOM Cross-Site Scripting (XSS) The iThemes Security (formerly Better WP Security) WordPress plugin was affected by a Potential Authenticated DOM Cross-Site Scripting (XSS) security vulnerability.
- Affected versions
-
max 5.3.5.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 63f35fe6-b779-4c9e-b260-f6fb9cd0e231
- CVE, Research URL
- Home page URL
- Date
- -
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 4.6.13 iThemes Security 3.0-4.6.12 – Stored Cross-Site Scripting (XSS) The iThemes Security (formerly Better WP Security) WordPress plugin was affected by security vulnerability.
- Affected versions
-
max 4.6.13.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # aca181eb-a018-4010-90fe-1746c7a1e976
- CVE, Research URL
- Home page URL
- Date
- -
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 3.5.4 Better WP Security <= 3.5.3 - inc/secure.php logevent Function URL H&ling Stored XSS The iThemes Security (formerly Better WP Security) WordPress plugin was affected by an inc/secure.php logevent Function URL H&ling Stored XSS security vulnerability.
- Affected versions
-
max 3.5.4.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 33940f1012fa1bf55d2b1c456d711f0bd80d4383
- CVE, Research URL
- Home page URL
- Date
- Aug 02, 2013
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 3.5.4 WordPress Better WP Security Plugin - Stored XSS Better WP Security plugins is prone to a stored XSS vulnerability that allow to steal cookies or gain privileged access to the affected site. Update the plugin to 3.5.4 version.
- Affected versions
-
max 3.5.4.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 42fdb534-3aef-4ed7-94a8-4cfe8ff977e1
- CVE, Research URL
- Home page URL
- Date
- -
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 7.9.1 iThemes Security Free (< 7.9.1) & Pro (< 6.8.4) - Hide Backend Bypass Both the iThemes Security free and pro versions were affected. - Patched in Version (iThemes Security): 7.9.1 - Patched in Version (iThemes Security Pro): 6.8.4 The bug allowed attackers to bypass the "Hide Backend" feature, that, when enabled, hides the WordPress wp-login.php and wp-admin pages. This could allow attackers to conduct brute force or other attacks against the "hidden" pages, giving a false sense of security. This vulnerability was discovered and responsibly disclosed by Julio Potier of SecuPress. Update to version 7.9.1 of iThemes Security and 6.8.4 of iThemes Security Pro to receive the Hide Backed bypass workaround patch.
- Affected versions
-
max 7.9.1.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 635a923295fe04f78b5819b6f3bc0ed9a6f088a3
- CVE, Research URL
- Home page URL
- Date
- Apr 22, 2021
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 7.9.1 iThemes Security < 7.9.1 and iThemes Security Pro < 6.8.4 - Hidden Login Bypass It is possible to bypass the hidden login page functionality in iThemes Security < 7.9.1 and iThemes Security Pro < 6.8.4
- Affected versions
-
max 7.9.1.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 430b0a42ed24afe8ea7e78526c5b7cde6e5a7777
- CVE, Research URL
- Home page URL
- Date
- Oct 06, 2016
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 5.6.2 iThemes Security <= 5.6.1 - Stored Cross-Site Scripting The iThemes Security for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 5.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. "Security Fix: Updated log output to prevent specific kinds of logged requests from displaying without sanitization. Thanks to Slavco Mihajloski for contacting us about this issue." ~ https://wordpress.org/plugins/better-wp-security/#developers
- Affected versions
-
max 5.6.2.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 1a4790954a009aa6156cc9e03018079ba0509249
- CVE, Research URL
- Home page URL
- Date
- Apr 05, 2016
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 5.3.5 iThemes Security < 5.3.5 - Authenticated Cross-Site Scripting The iThemes Security plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 5.3.5.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # ba1836f2-4abe-400b-9290-8bdab0a7d105
- CVE, Research URL
- Home page URL
- Date
- -
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 3.6.4 wpscan.com
- Affected versions
-
max 3.6.4.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # a9098f41-65e3-4435-8d62-478c17c1963b
- CVE, Research URL
- Home page URL
- Date
- -
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 4.0.0 wpscan.com
- Affected versions
-
max 4.0.0.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 111b48ea654003c1b4d6d783b658d9ffc0529b71
- CVE, Research URL
- Home page URL
- Date
- Apr 25, 2016
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 5.3.6 iThemes Security <= 5.3.5 - Missing Capabilities Check The iThemes Security plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wp_ajax_itsec_file_change_warning_ajax function in versions up to, and including, 5.3.5. This makes it possible for authenticated attackers to perform administrative actions.
- Affected versions
-
max 5.3.6.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 2309b491e80a841a137f72a54af2a5a19ac08d7a
- CVE, Research URL
- Home page URL
- Date
- Aug 01, 2014
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 3.6.4 iThemes Security < 3.6.4 - Stored Cross-Site Scripting The iThemes Security plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘license’ parameter in versions before 3.6.4 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 3.6.4.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 2380931eb94bdb4d5653c347b8f31f5aae95046d
- CVE, Research URL
- Home page URL
- Date
- Aug 01, 2014
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 3.6.4 Better WP Security <= 3.6.3 - Stored Cross-Site Scripting The Better WP Security plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘license’ parameter in versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 3.6.4.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 07ff64442820ce1671bc5d7095e7dce704705e01
- CVE, Research URL
- Home page URL
- Date
- Aug 20, 2012
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 3.4.4 iThemes Security < 3.4.4 - Cross-Site Scripting The iThemes Security plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 3.4.4.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 84e3b0f1-534b-4504-b66a-d46211f66d11
- CVE, Research URL
- Home page URL
- Date
- -
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 3.5.6 wpscan.com
- Affected versions
-
max 3.5.6.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 8b901ecc712ae441afa86c72af886c143feda3db
- CVE, Research URL
- Home page URL
- Date
- Apr 21, 2016
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 5.3.1 iThemes Security < 5.3.1 - Insecure Backup/Logfile Generation The iThemes Security plugin for WordPress is vulnerable to insecure backup and logfile generation in versions up to, and including, 5.3.0. This is due to backup and logfiles being created in a world-readable directory. This makes it possible for unauthenticated attackers to view backup and log files.
- Affected versions
-
max 5.3.1.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # be7132443f1fa9fc293feb6ad66dc1755773f41a
- CVE, Research URL
- Home page URL
- Date
- Aug 01, 2014
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 3.5.4 Better WP Security <= 3.5.3 - Stored Cross-Site Scripting The Better WP Security plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'inc/secure.php' file in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping on logged data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 3.5.4.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 7227dcca-19c4-4125-af3f-04e6ccafdce2
- CVE, Research URL
- Home page URL
- Date
- -
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 3.4.4 wpscan.com
- Affected versions
-
max 3.4.4.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 52502b5bf9b726dd703e6c231aaebab779e39875
- CVE, Research URL
- Home page URL
- Date
- Apr 14, 2015
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 4.6.13 iThemes Security <= 4.6.12 - Stored Cross-Site Scripting The iThemes Security plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 4.6.12 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 4.6.13.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 644b563ee3339b1ba6d9dd93f3d8da484fca06b6
- CVE, Research URL
- Home page URL
- Date
- Sep 27, 2016
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 5.6.2 iThemes Security <= 5.6.1 - Sensitive Information Exposure via Diff Response The iThemes Security plugin for WordPress is vulnerable to sensitive information disclosure in versions up to, and including 5.6.1, due to invalid username/password combinations returning different HTTP headers on response. This makes it possible for attackers to observe differences in responses to determine valid usernames on the site (username enumeration).
- Affected versions
-
max 5.6.2.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # 166c6edea38e95694184ae6cad1d92ceba07553a
- CVE, Research URL
- Home page URL
- Date
- Oct 31, 2023
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 9.0.1 Solid Security Basic <= 9.0.0 - Unauthenticated Login Page Disclosure The Solid Security – Password, Two Factor Authentication, and Brute Force Protection plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 9.0.0. This is due to the plugin disclosing the login path when comments are enabled and registration is required. This makes it possible for unauthenticated attackers to discover the login page path and bypass the intended functionality of the security mechanism.
- Affected versions
-
max 9.0.1.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # b7201fc1-d825-484f-aca9-ba14a968179b
- CVE, Research URL
- Home page URL
- Date
- -
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 9.0.1 Solid Security Basic < 9.0.1 - Unauthenticated Login Page Disclosure The plugin is vulnerable to protection mechanism bypass due to disclosing the login path when comments are enabled and registration is required. This makes it possible for unauthenticated attackers to discover the login page path and bypass the intended functionality of the security mechanism.
- Affected versions
-
max 9.0.1.
- Status
-
vulnerable
Solid Security – Password, Two Factor Authentication, and Brute Force Protection # cec03e25a29a7e7f3705f209bc9213e9d1af432a
- CVE, Research URL
- Home page URL
- Date
- Nov 01, 2023
- Research Description
- Kadence Security – Password, Two Factor Authentication, and Brute Force Protection [better-wp-security] < 9.0.1 WordPress Solid Security Plugin <= 9.0.0 is vulnerable to Sensitive Data Exposure Update the WordPress Better WP Security plugin to the latest available version (at least 9.0.1). Naveen Muthusamy discovered and reported this Sensitive Data Exposure vulnerability in WordPress Solid Security Plugin. This vulnerability has been fixed in version 9.0.1.
- Affected versions
-
max 9.0.1.
- Status
-
vulnerable