CVE-2021-39333

The Hashthemes Demo Importer Plugin = 1.1.1 for WordPress contained several AJAX functions which relied on a nonce which was visible to all logged-in users for access control, allowing them to execute a function that truncated nearly all database tables and removed the contents of...

CVE-2024-13775

The WooCommerce Support Ticket System plugin for WordPress is vulnerable to unauthorized access and loss of data due to missing capability checks on the 'ajaxdeletemessage', 'ajaxgetcustomerspartiallist', and 'ajaxgetadminslist' functions in all versions up to, and including, 17.8. This makes it...

Selesta Visual Access Manager 安全漏洞

Selesta Visual Access Manager is a visual access manager from Selesta. Selesta Visual Access Manager suffers from a SQL injection vulnerability that stems from a lack of validation of the GET parameter of /common/ajaxfunction.php against an externally entered SQL statement. An attacker can exploi...

CVE-2023-42236

An issue was discovered in Selesta Visual Access Manager VAM prior to 4.42.2. An authenticated attacker can perform SQL Injection in a GET parameter of /common/ajaxfunction.php...

WordPress plugin WPDash Notes 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2024-10533

The WP Chat App plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the ajaxinstallplugin function in all versions up to, and including, 3.6.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2024-10800 WordPress User Extra Fields <= 16.6 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

The WordPress User Extra Fields plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the ajaxsavefields function in all versions up to, and including, 16.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to ad...

CVE-2024-7485 Traffic Manager <= 1.4.5 - Unauthenticated Stored Cross-Site Scripting

The Traffic Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page' parameter in the 'UserWebStat' AJAX function in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2024-6753

The Social Auto Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mapTypes’ parameter in the 'wpwautopostermapwordpressposttype' AJAX function in all versions up to, and including, 5.3.14 due to insufficient input sanitization and output escaping. This makes it...

CVE-2024-6752

CVE-2024-6752 corresponds to a stored cross-site scripting (XSS) vulnerability in the WordPress plugin Social Auto Poster. The issue affects all versions up to and including 5.3.14 and arises from insufficient input sanitization and output escaping in the wp_name parameter used by the wpw_auto_po...

PT-2024-37848 · WordPress · Social Auto Poster

Name of the Vulnerable Software and Affected Versions: Social Auto Poster plugin for WordPress versions up to, and including, 5.3.14 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in the wp name parameter of the wpw auto...

CVE-2024-6168

The Just Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.2. This is due to missing or incorrect nonce validation on several AJAX function. This makes it possible for unauthenticated attackers to invoke this functionality...

PT-2024-26888 · WordPress · Product Designer

Name of the Vulnerable Software and Affected Versions: Product Designer plugin for WordPress versions up to, and including, 1.0.33 Description: The issue is related to a missing capability check on the product designer ajax delete attach id function, which allows unauthorized loss of data. This...

PT-2024-29203 · WordPress · Pricing Table

Name of the Vulnerable Software and Affected Versions: Pricing Table plugin for WordPress versions up to, and including, 2.0.1 Description: The issue arises from a missing capability check on the ajax function, allowing authenticated attackers with subscriber-level access and above to perform...

WordPress plugin WP Reset security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2024-3233 Ivory Search – WordPress Search Plugin <= 5.5.5 - Missing Authorization to Authenticated (Subscriber+) Index Creation

The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxcreateindex function in all versions up to, and including, 5.5.5. This makes it possible for authenticated attackers, with subscriber-lev...

CVE-2024-0613

CVE-2024-0613 refers to the Delete Custom Fields WordPress plugin. The description (and corroborating references) state that all versions up to and including 0.3.1 are vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on ajax_delete_field(). This enables unauth...

CVE-2024-3206 Different Menu in Different Pages – Control Menu Visibility (All in One) <= 2.3.2 - Missing Authorization to Menu Duplication

The Different Menu in Different Pages – Control Menu Visibility All in One plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax function in all versions up to, and including, 2.3.2. This makes it possible for authenticated attackers, with...

PT-2024-24379 · WordPress · The Different Menu In Different Pages – Control Menu Visibility

Name of the Vulnerable Software and Affected Versions: The Different Menu in Different Pages – Control Menu Visibility All in One plugin for WordPress versions up to, and including, 2.3.2 Description: The issue is related to unauthorized access due to a missing capability check on the ajax...

Different Menu in Different Pages – Control Menu Visibility (All in One) <= 2.3.2 - Missing Authorization to Menu Duplication

Description The Different Menu in Different Pages – Control Menu Visibility All in One plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax function in all versions up to, and including, 2.3.2. This makes it possible for authenticated attackers,...