Lucene search
K

126 matches found

wpexploit
wpexploit
added 2022/10/10 12:0 a.m.91 views

WP Total Hacks <= 4.7.2 - Subscriber+ Arbitrary Options Update to Stored XSS

The plugin does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well. Run the below command in...

5.4CVSS0.3AI score0.00411EPSS
Exploits2
Cvelist
Cvelist
added 2022/07/17 10:36 a.m.21 views

CVE-2022-2144 Jquery Validation For Contact Form 7 < 5.3 - Arbitrary Options Update via CSRF

The Jquery Validation For Contact Form 7 WordPress plugin before 5.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change Blog options like defaultrole, userscanregister via a CSRF attack...

4.9AI score0.00412EPSS
Exploits2References1
Patchstack
Patchstack
added 2022/05/03 12:0 a.m.28 views

WordPress Content Mask plugin <= 1.8.4 - Arbitrary Options Update vulnerability

Arbitrary Options Update vulnerability discovered by ptsfence in WordPress Content Mask plugin versions = 1.8.4. Solution Update the WordPress Content Mask plugin to the latest available version at least 1.8.4.1...

4.3CVSS3.2AI score0.01052EPSS
Exploits3References3Affected Software1
WPVulnDB
WPVulnDB
added 2022/04/11 12:0 a.m.21 views

Sitemap by click5 < 1.0.36 - Unauthenticated Arbitrary Options Update

The plugin does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as the userscanregister and defaultrole,...

8.8CVSS2.8AI score0.13329EPSS
Exploits2Affected Software1
Patchstack
Patchstack
added 2022/03/01 12:0 a.m.16 views

WordPress Multilist Subscribe for Sendy plugin <= 1.6.1 - Subscriber+ Arbitrary Options Update vulnerability

Subscriber+ Arbitrary Options Update vulnerability discovered by 0xdecafbad in WordPress Multilist Subscribe for Sendy plugin versions = 1.6.1. Solution Deactivate and delete. This plugin has been closed as of February 1, 2022 and is not available for download. This closure is temporary, pending ...

3.1AI score
Exploits0References2Affected Software1
Patchstack
Patchstack
added 2022/02/16 12:0 a.m.6 views

WordPress Hub2word plugin <= 1.1.0 - Arbitrary Options Update vulnerability

Arbitrary Options Update vulnerability discovered by WPScanTeam in WordPress Hub2word plugin versions = 1.1.0. Solution Deactivate and delete. This plugin has been closed as of October 19, 2021 and is not available for download. Reason: Security Issue...

3.5AI score
Exploits0References2Affected Software1
WPVulnDB
WPVulnDB
added 2022/02/16 12:0 a.m.10 views

hub2word <= 1.1.0 - Subscriber+ Arbitrary Options Update

The plugin does not have authorisation and CSRF checks in its Hub2Wordsavesettings AJAX action, and does not validate the option key to be updated. As a result, any authenticated user, such as subscriber could update arbitrary WordPress options PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...

0.8AI score
Exploits0Affected Software1
wpexploit
wpexploit
added 2022/02/16 12:0 a.m.91 views

hub2word <= 1.1.0 - Subscriber+ Arbitrary Options Update

The plugin does not have authorisation and CSRF checks in its Hub2Wordsavesettings AJAX action, and does not validate the option key to be updated. As a result, any authenticated user, such as subscriber could update arbitrary WordPress options POST /wp-admin/admin-ajax.php HTTP/1.1 Accept:...

0.8AI score
Exploits0
Vulnrichment
Vulnrichment
added 2022/01/18 4:52 p.m.6 views

CVE-2022-0215 XootiX Plugins <= Various Versions Cross-Site Request Forgery to Arbitrary Options Update

The Login/Signup Popup, Waitlist Woocommerce Back in stock notifier , and Side Cart Woocommerce Ajax WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the savesettings function found in the /includes/xoo-framework/admin/class-xoo-admin-settings.php file which makes it...

8.8CVSS8.5AI score0.0082EPSS
Exploits2References5
OpenVAS
OpenVAS
added 2022/01/18 12:0 a.m.15 views

WordPress PublishPress Capabilities Plugin < 2.3.1 Arbitrary Options Update Vulnerability

The WordPress plugin Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can redistribute it and/or modify it...

9.8CVSS9.7AI score0.06745EPSS
Exploits2References2
wpexploit
wpexploit
added 2022/01/13 12:0 a.m.89 views

XootiX Plugins - Various Versions CSRF to Arbitrary Options Update

The plugins Login/Signup Popup, Side Cart Woocommerce, and Waitlist Woocommerce are all vulnerable to cross-site request forgery due to a missing nonce check that would make it possible for attackers to update arbitrary options on a vulnerable WordPress site...

8.8CVSS0.9AI score0.0082EPSS
Exploits2References1
Patchstack
Patchstack
added 2022/01/13 12:0 a.m.30 views

WordPress Login/Signup Popup plugin <= 2.2 - Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Options Update

Cross-Site Request Forgery CSRF vulnerability leading to Arbitrary Options Update discovered by Chloe Chamberland Wordfence in WordPress Login/Signup Popup plugin versions = 2.2. Solution Update the WordPress Login/Signup Popup plugin to the latest available version at least 2.3...

8.8CVSS2.5AI score0.0082EPSS
Exploits2References3Affected Software1
Patchstack
Patchstack
added 2022/01/13 12:0 a.m.21 views

WordPress Side Cart Woocommerce (Ajax) plugin <= 2.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Options Update

Cross-Site Request Forgery CSRF vulnerability leading to Arbitrary Options Update discovered by Chloe Chamberland in WordPress Side Cart Woocommerce Ajax plugin versions = 2.0. Solution Update the WordPress Side Cart Woocommerce Ajax plugin to the latest available version at least 2.1...

8.8CVSS2.9AI score0.0082EPSS
Exploits2References3Affected Software1
Cvelist
Cvelist
added 2022/01/10 12:0 a.m.36 views

CVE-2021-25032 PublishPress Capabilities < 2.3.1 - Unauthenticated Arbitrary Options Update to Blog Compromise

The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a...

9.7AI score0.06745EPSS
Exploits2References2
Tenable Nessus
Tenable Nessus
added 2021/12/23 12:0 a.m.15 views

PublishPress Capabilities Plugin for WordPress < 2.3.1 Arbitrary Options Update

The WordPress PublishPress Capabilities Plugin installed on the remote host is affected by an unauthenticated arbitrary WordPress options update vulnerability. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number. No...

9.8CVSS7.7AI score0.06745EPSS
Exploits2References3
Tenable Nessus
Tenable Nessus
added 2021/12/23 12:0 a.m.11 views

Kiwi Social Share Plugin for WordPress 2.1.0 < 2.1.3 Arbitrary Options Update

The WordPress Kiwi Social Share Plugin installed on the remote host is affected by an unauthenticated arbitrary WordPress options update vulnerability. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number. No source da...

7.7AI score
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2021/12/16 12:0 a.m.4 views

VulnCheck KEV: CVE-2021-36888

Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate versions = 9.6.1 WordPress plugin...

9.8CVSS7.3AI score0.0674EPSS
Exploits1References1
OSV
OSV
added 2021/12/15 7:15 p.m.5 views

CVE-2021-36888

Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate versions = 9.6.1 WordPress plugin...

9.8CVSS5.8AI score0.0674EPSS
Exploits1References2
Prion
Prion
added 2021/12/15 7:15 p.m.15 views

Code injection

Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate versions = 9.6.1 WordPress plugin...

7.5CVSS9.3AI score0.0674EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2021/12/15 6:6 p.m.7 views

CVE-2021-36888 WordPress Image Hover Effects Ultimate plugin <= 9.6.1 - Unauthenticated Arbitrary Options Update leading to full website compromise

Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate versions = 9.6.1 WordPress plugin...

9.8CVSS9.6AI score0.0674EPSS
Exploits1References2
Rows per page
Query Builder