Hide My Wp

hide_my_wp

Vendor: Wpwave • 3 CVEs

CVEs (3)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-4681 1Wpwave 1Hide My Wp Mar 25, 2025 Feb 6, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Hide My WP WordPress plugin before 6.2.9 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
CVE-2021-36917 1Wpwave 1Hide My Wp Nov 21, 2024 Nov 24, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 WordPress Hide My WP plugin (versions <= 6.2.3) can be deactivated by any unauthenticated user. It is possible to retrieve a reset token which can then be used to deactivate the plugin.
CVE-2021-36916 1Wpwave 1Hide My Wp Nov 21, 2024 Nov 24, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve...Show more The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as "X-Forwarded-For." As a result, the malicious payload supplied in one of these IP address headers will be directly inserted into the SQL query, making SQL injection possible.Show less