8807 matches found
CVE-2023-2087 Essential Blocks <= 4.0.6 - Cross-Site Request Forgery via save
The Essential Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.6. This is due to missing or incorrect nonce validation on the save function. This makes it possible for unauthenticated attackers to change plugin settings via a forged...
CVE-2023-0292 Quiz And Survey Master <= 8.0.8 - Cross-Site Request Forgery to Arbitrary Media Deletion
The Quiz And Survey Master plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0.8. This is due to missing nonce validation on the function associated with the qsmremovefilefdquestion AJAX action. This makes it possible for unauthenticated attacker...
CVE-2023-0292 Quiz And Survey Master <= 8.0.8 - Cross-Site Request Forgery to Arbitrary Media Deletion
The Quiz And Survey Master plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0.8. This is due to missing nonce validation on the function associated with the qsmremovefilefdquestion AJAX action. This makes it possible for unauthenticated attacker...
CVE-2023-2891 WP EasyCart <= 5.4.8 - Cross-Site Request Forgery via process_delete_product
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the processdeleteproduct function. This makes it possible for unauthenticated attackers to delete products via a forged...
CVE-2023-2891 WP EasyCart <= 5.4.8 - Cross-Site Request Forgery via process_delete_product
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the processdeleteproduct function. This makes it possible for unauthenticated attackers to delete products via a forged...
CVE-2023-1807
The CVE-2023-1807 entry concerns the Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress. The root cause is missing or incorrect nonce validation in the toggle_widget function, allowing Cross-Site Request Forgery. Affected are WordPress sites running Stax up to version 1.4.3. I...
CVE-2023-1807 Elementor Addons, Widgets and Enhancements – Stax <= 1.4.3 - Cross-Site Request Forgery via toggle_widget
The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.3. This is due to missing or incorrect nonce validation on the togglewidget function. This makes it possible for unauthenticated attackers t...
CVE-2023-1807 Elementor Addons, Widgets and Enhancements – Stax <= 1.4.3 - Cross-Site Request Forgery via toggle_widget
The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.3. This is due to missing or incorrect nonce validation on the togglewidget function. This makes it possible for unauthenticated attackers t...
CVE-2023-2067 Announcement & Notification Banner – Bulletin <= 3.7.0 - Cross-Site Request Forgery
The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce validation on the 'bulletinwpupdatebulletinstatus', 'bulletinwpupdatebulletin', 'bulletinwpupdatesettings', 'bulletinwpupdatestatus',...
CVE-2023-0729 Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_save_sort_order
The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajaxsavesortorder function. This makes it possible for unauthenticated attackers to invoke this function via...
CVE-2023-2085 Essential Blocks <= 4.0.6 - Missing Authorization via templates
The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the templates function in versions up to, and including, 4.0.6. This makes it possible for subscriber-level attackers to obtain plugin template information. While a...
CVE-2023-2599 Active Directory Integration / LDAP Integration <= 4.1.4 - Cross-Site Request Forgery to SQL Injection
The Active Directory Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 4.1.4 due to missing nonce verification on the getusers function and insufficient escaping o...
CVE-2023-2526 Easy Google Maps <= 1.11.7 - Cross-Site Request Forgery via AJAX action
The Easy Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.11.7. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to executes AJAX actions via a forg...
CVE-2023-2084 Essential Blocks <= 4.0.6 - Missing Authorization via get
The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the get function in versions up to, and including, 4.0.6. This makes it possible for subscriber-level attackers to obtain plugin settings. While a nonce check is...
CVE-2023-0831 Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_ucp_dismiss_notice
The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the dismissnotice function called via the adminactionucpdismissnotice action. This makes it possible for...
CVE-2023-0831
The CVE-2023-0831 entry concerns the WordPress plugin Under Construction. A CSRF flaw exists in versions up to 3.96 due to missing/incorrect nonce validation in the dismiss_notice function invoked by admin_action_ucp_dismiss_notice, allowing unauthenticated attackers to dismiss plugin notificatio...
CVE-2023-0831 Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_ucp_dismiss_notice
The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the dismissnotice function called via the adminactionucpdismissnotice action. This makes it possible for...
WordPress Plugin WP Activity Log Premium 跨站请求伪造漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forgery...
PT-2023-20414 · WordPress · Active Directory Integration
Name of the Vulnerable Software and Affected Versions: Active Directory Integration plugin for WordPress versions up to, and including, 4.1.4 Description: The issue allows unauthenticated attackers to perform time-based SQL Injection via the orderby and order parameters due to missing nonce...
WordPress Plugin WP EasyCart 跨站请求伪造漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forger...