cbcvebase.

Wpwave Hide My Wp vulnerabilities

4 known vulnerabilities affecting wpwave/hide_my_wp.

Total CVEs
4
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2

Vulnerabilities

Page 1 of 1
CVE-2022-4681P2CRITICALCVSS 9.8PoCfixed in 6.2.92023-02-06
CVE-2022-4681 [CRITICAL] CWE-89 CVE-2022-4681: The Hide My WP WordPress plugin before 6.2.9 does not properly sanitize and escape a parameter befor The Hide My WP WordPress plugin before 6.2.9 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
nvd
CVE-2021-36916P3CRITICALCVSS 9.8≤ 6.2.32021-11-24
CVE-2021-36916 [CRITICAL] CWE-89 CVE-2021-36916: The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible b The SQL injection vulnerability in the Hide My WP WordPress plugin (versions <= 6.2.3) is possible because of how the IP address is retrieved and used inside a SQL query. The function "hmwp_get_user_ip" tries to retrieve the IP address from multiple headers, including IP address headers that the user can spoof, such as "X-Forwarded-For." As a resul
nvd
CVE-2021-36917P3HIGHCVSS 7.5≤ 6.2.32021-11-24
CVE-2021-36917 [HIGH] CWE-284 CVE-2021-36917: WordPress Hide My WP plugin (versions <= 6.2.3) can be deactivated by any unauthenticated user. It i WordPress Hide My WP plugin (versions <= 6.2.3) can be deactivated by any unauthenticated user. It is possible to retrieve a reset token which can then be used to deactivate the plugin.
nvd
CVE-2025-69098P4HIGHCVSS 7.1≤ 6.2.122026-01-22
CVE-2025-69098 [HIGH] CWE-79 CVE-2025-69098: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWave Hide My WP hide_my_wp allows Reflected XSS.This issue affects Hide My WP: from n/a through <= 6.2.12.
nvd
Wpwave Hide My Wp vulnerabilities | cvebase