Lucene search

K

Frontend Security Vulnerabilities

cve
cve

CVE-2024-5149

The BuddyForms plugin for WordPress is vulnerable to Email Verification Bypass in all versions up to, and including, 2.8.9 via the use of an insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email...

6.5CVSS

7.2AI Score

0.0005EPSS

2024-06-05 05:15 AM
24
cve
cve

CVE-2024-4870

The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the 'cf7frr' post meta. This makes it possible for authenticated attackers, with editor-level access and above, to modify...

7.2CVSS

7.1AI Score

0.001EPSS

2024-06-04 02:15 AM
1
cve
cve

CVE-2023-51483

Improper Privilege Management vulnerability in Glowlogix WP Frontend Profile allows Privilege Escalation.This issue affects WP Frontend Profile: from n/a through...

9.8CVSS

6.8AI Score

0.0004EPSS

2024-05-17 09:15 AM
40
cve
cve

CVE-2023-47682

Improper Privilege Management vulnerability in weDevs WP User Frontend allows Privilege Escalation.This issue affects WP User Frontend: from n/a through...

7.2CVSS

6.8AI Score

0.0004EPSS

2024-05-17 09:15 AM
58
cve
cve

CVE-2024-34706

Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token (JWT) of the user is exposed to api.form.io via the the x-jwt-token header. An attacker can retrieve personal information from this token, or use it to execute requests to the.....

9.8CVSS

6.6AI Score

0.0004EPSS

2024-05-14 03:39 PM
35
cve
cve

CVE-2024-3729

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'fea_encrypt' function in all versions up to, and including, 3.19.4. This makes it possible for unauthenticated attackers to manipulate the user processing forms, which can.....

9.8CVSS

7AI Score

0.0004EPSS

2024-05-02 05:15 PM
46
cve
cve

CVE-2024-2967

The Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form settings in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping. This makes it...

4.4CVSS

5.7AI Score

0.0004EPSS

2024-05-02 05:15 PM
24
cve
cve

CVE-2024-32726

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in vinoth06. Frontend Dashboard.This issue affects Frontend Dashboard: from n/a through...

7.5CVSS

6.7AI Score

0.0004EPSS

2024-04-24 08:15 AM
25
cve
cve

CVE-2024-29775

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vinoth06. Frontend Dashboard allows Stored XSS.This issue affects Frontend Dashboard: from n/a through...

6.5CVSS

9.1AI Score

0.0004EPSS

2024-03-27 01:15 PM
25
cve
cve

CVE-2024-29929

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WC Lovers WCFM – Frontend Manager for WooCommerce allows Stored XSS.This issue affects WCFM – Frontend Manager for WooCommerce: from n/a through...

5.9CVSS

6.5AI Score

0.0004EPSS

2024-03-27 10:15 AM
31
cve
cve

CVE-2024-25903

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in N-Media Frontend File Manager.This issue affects Frontend File Manager: from n/a through...

5.3CVSS

5.3AI Score

0.0004EPSS

2024-03-17 05:15 PM
42
cve
cve

CVE-2024-1158

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buddyforms_new_page function in all versions up to, and including,....

4.3CVSS

5.3AI Score

0.0004EPSS

2024-03-13 04:15 PM
16
cve
cve

CVE-2024-1170

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the handle_deleted_media function in all versions up to, and including,....

8.2CVSS

8.6AI Score

0.0004EPSS

2024-03-07 11:15 AM
33
cve
cve

CVE-2024-1169

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media upload due to a missing capability check on the buddyforms_upload_handle_dropped_media function in all versions up to, and....

7.5CVSS

7.8AI Score

0.0004EPSS

2024-03-07 11:15 AM
29
cve
cve

CVE-2024-0374

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.2. This is due to missing or incorrect nonce validation on the 'create_view' function. This makes it possible for.....

4.3CVSS

5.2AI Score

0.001EPSS

2024-02-05 10:16 PM
16
cve
cve

CVE-2024-0371

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'create_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated....

4.3CVSS

5.2AI Score

0.0004EPSS

2024-02-05 10:16 PM
18
cve
cve

CVE-2024-0372

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_form_fields' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated...

4.3CVSS

5.2AI Score

0.0004EPSS

2024-02-05 10:16 PM
19
cve
cve

CVE-2024-0373

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.2. This is due to missing or incorrect nonce validation on the 'save_view' function. This makes it possible for...

4.3CVSS

5.3AI Score

0.001EPSS

2024-02-05 10:16 PM
16
cve
cve

CVE-2024-0370

The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated...

4.3CVSS

5.3AI Score

0.0004EPSS

2024-02-05 10:16 PM
18
cve
cve

CVE-2023-6996

The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Code Injection via the plugin's vg_display_data shortcode in all versions up to, and including, 1.2.1 due to insufficient input validation and restriction on access to that shortcode....

8.8CVSS

8.7AI Score

0.001EPSS

2024-02-05 10:15 PM
11
cve
cve

CVE-2023-6982

The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and postmeta in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied....

6.4CVSS

5.2AI Score

0.0004EPSS

2024-02-05 10:15 PM
20
cve
cve

CVE-2023-6983

The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.1 via the vg_display_data shortcode due to missing validation on a user controlled key. This makes it possible...

4.3CVSS

4.6AI Score

0.0004EPSS

2024-02-05 10:15 PM
17
cve
cve

CVE-2023-51411

Unrestricted Upload of File with Dangerous Type vulnerability in Shabti Kaplan Frontend Admin by DynamiApps.This issue affects Frontend Admin by DynamiApps: from n/a through...

10CVSS

9.4AI Score

0.001EPSS

2023-12-29 02:15 PM
17
cve
cve

CVE-2023-32725

The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. The received session cookie can then be used to access the frontend as the particular...

9.6CVSS

8.5AI Score

0.001EPSS

2023-12-18 10:15 AM
41
cve
cve

CVE-2023-5105

The Frontend File Manager Plugin WordPress plugin before 22.6 has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as...

6.5CVSS

6.7AI Score

0.0005EPSS

2023-12-04 10:15 PM
11
cve
cve

CVE-2023-1982

The Front Editor WordPress plugin through 4.0.4 does not sanitize and escape some of its form settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

4.8CVSS

4.9AI Score

0.0004EPSS

2023-08-30 03:15 PM
62
cve
cve

CVE-2023-30952

A security defect was discovered in Foundry Issues that enabled users to create convincing phishing links by editing the request sent when creating an Issue. This defect was resolved in Frontend release 6.228.0...

5CVSS

4.6AI Score

0.0004EPSS

2023-08-03 10:15 PM
15
cve
cve

CVE-2023-30958

A security defect was identified in Foundry Frontend that enabled users to potentially conduct DOM XSS attacks if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend...

6.1CVSS

6AI Score

0.0005EPSS

2023-08-03 10:15 PM
42
cve
cve

CVE-2023-26449

The "OX Chat" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker...

5.4CVSS

5.8AI Score

0.001EPSS

2023-08-02 01:15 PM
2322
cve
cve

CVE-2023-26450

The "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker...

5.4CVSS

5.8AI Score

0.001EPSS

2023-08-02 01:15 PM
2316
cve
cve

CVE-2023-26448

Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit...

5.4CVSS

5.6AI Score

0.001EPSS

2023-08-02 01:15 PM
2319
cve
cve

CVE-2023-26447

The "upsell" widget for the portal allows to specify a product description. This description taken from a user-controllable jslob did not get escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering...

5.4CVSS

5.5AI Score

0.001EPSS

2023-08-02 01:15 PM
2319
cve
cve

CVE-2023-26446

The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would....

5.4CVSS

5.5AI Score

0.001EPSS

2023-08-02 01:15 PM
2319
cve
cve

CVE-2023-26445

Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and...

5.4CVSS

5.5AI Score

0.001EPSS

2023-08-02 01:15 PM
2317
cve
cve

CVE-2023-29457

Reflected XSS attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script can be activated through Action form fields, which can be sent as request to a website with a vulnerability that enables execution of malicious...

6.3CVSS

6.5AI Score

0.001EPSS

2023-07-13 10:15 AM
56
cve
cve

CVE-2023-29455

Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious...

6.1CVSS

6.5AI Score

0.001EPSS

2023-07-13 10:15 AM
56
cve
cve

CVE-2023-29454

Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every...

5.4CVSS

5.3AI Score

0.0005EPSS

2023-07-13 10:15 AM
51
cve
cve

CVE-2023-29456

URL validation scheme receives input from a user and then parses it to identify its various components. The validation scheme can ensure that all URL components comply with internet...

5.7CVSS

6.2AI Score

0.0005EPSS

2023-07-13 10:15 AM
16
cve
cve

CVE-2023-30963

A security defect was discovered in Foundry Frontend which enabled users to perform Stored XSS attacks in Slate if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.229.0. The service was rolled out to all affected Foundry instances. No further...

5.4CVSS

5.2AI Score

0.0004EPSS

2023-07-10 10:15 PM
17
cve
cve

CVE-2023-22835

A security defect was identified that enabled a user of Foundry Issues to perform a Denial of Service attack by submitting malformed data in an Issue that caused loss of frontend functionality to all issue participants. This defect was resolved with the release of Foundry Issues 2.510.0 and...

7.7CVSS

7.4AI Score

0.001EPSS

2023-07-10 09:15 PM
17
cve
cve

CVE-2021-4378

The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with minimal permissions like subscribers, to inject.....

6.4CVSS

5AI Score

0.001EPSS

2023-06-07 02:15 AM
16
cve
cve

CVE-2021-4383

The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to page content injection in versions up to, and including, 5.5. This is due to missing capability checks in the plugin's page-editing functionality. This makes it possible for low-authenticated attackers, such as subscribers, to...

8.1CVSS

4.7AI Score

0.001EPSS

2023-06-07 02:15 AM
13
cve
cve

CVE-2021-4363

The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.5 due to insufficient input sanitization and output escaping on the 'save_content_front' function that uses print_r on the user-supplied $_REQUEST values . This...

6.1CVSS

6AI Score

0.001EPSS

2023-06-07 02:15 AM
11
cve
cve

CVE-2021-4365

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to, and including, 18.2. This is due to lacking authentication protections and santisation all on the wpfm_edit_file_title_desc AJAX action. This makes it possible for...

7.2CVSS

5.9AI Score

0.001EPSS

2023-06-07 02:15 AM
13
cve
cve

CVE-2021-4356

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Download in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it...

9.8CVSS

9.4AI Score

0.002EPSS

2023-06-07 02:15 AM
15
cve
cve

CVE-2021-4369

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Content Injection in versions up to, and including, 18.2. This is due to lacking authorization protections, checks against users editing other's posts, and lacking a security nonce, all on the wpfm_edit_file_title_desc....

5.8CVSS

5.4AI Score

0.001EPSS

2023-06-07 02:15 AM
14
cve
cve

CVE-2021-4371

The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Setting Changs in versions up to, and including, 5.5. This is due to lacking both a security nonce and a capabilities check. This makes it possible for low-authenticated attackers to change plugin settings even when they do not...

4.3CVSS

4.5AI Score

0.001EPSS

2023-06-07 02:15 AM
10
cve
cve

CVE-2021-4368

The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This is due to lacking capability checks and a security nonce, all on the wpfm_save_settings AJAX action. This makes it possible for subscriber-level attackers to...

9.9CVSS

8.8AI Score

0.005EPSS

2023-06-07 02:15 AM
11
cve
cve

CVE-2021-4359

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 18.2. This is due to lacking authentication protections and lacking a security nonce on the wpfm_delete_file AJAX action. This makes it possible for...

6.5CVSS

5.3AI Score

0.001EPSS

2023-06-07 02:15 AM
13
cve
cve

CVE-2021-4344

The Frontend File Manager plugin for WordPress is vulnerable to Privilege Escalation in versions up to, and including, 18.2. This is due to lacking mishandling the use of user IDs that is accessible by the visitor. This makes it possible for unauthenticated or authenticated attackers to access the....

6.4CVSS

5.3AI Score

0.001EPSS

2023-06-07 02:15 AM
13
Total number of security vulnerabilities98