320 matches found
CVE-2019-25149
The Gallery Images Ape plugin for WordPress is vulnerable to Arbitrary Plugin Deactivation in versions up to, and including, 2.0.6. This allows authenticated attackers with any capability level to deactivate any plugin on the site, including plugins necessary to site functionality or security...
CVE-2020-36719
The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lpccaddonsactions function. This makes it possible for unauthenticated attacker...
CVE-2024-10781
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'apikey' value in the 'perform' function in all versions up to, and including, 6.44. This makes it possible for...
CVE-2024-10673
The Top Store theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the topstoreinstallandactivatecallback function in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with subscriber-level...
WordPress Starter Templates by FancyWP plugin <= 2.0.0 - CSRF to Arbitrary Plugin Installation vulnerability
CSRF to Arbitrary Plugin Installation vulnerability discovered by Abdi Pranata in WordPress Plugin Starter Templates by FancyWP versions = 2.0.0...
WordPress Munk Sites plugin <= 1.0.7 - CSRF to Arbitrary Plugin Installation vulnerability
CSRF to Arbitrary Plugin Installation vulnerability discovered by Abdi Pranata in WordPress Plugin Munk Sites versions = 1.0.7...
CVE-2023-28990 WordPress Viral Mag theme <= 1.0.9 - Authenticated Arbitrary Plugin Activation Vulnerability
Missing Authorization vulnerability in hashthemes Viral Mag viral-mag allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Viral Mag: from n/a through = 1.0.9...
CVE-2023-28990 WordPress Viral Mag theme <= 1.0.9 - Authenticated Arbitrary Plugin Activation Vulnerability
Missing Authorization vulnerability in HashThemes Viral Mag allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Viral Mag: from n/a through 1.0.9...
CVE-2023-27456 WordPress Total theme <= 2.1.19 - Authenticated Arbitrary Plugin Activation
Missing Authorization vulnerability in HashThemes Total allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total: from n/a through 2.1.19...
CVE-2023-27456 WordPress Total theme <= 2.1.19 - Authenticated Arbitrary Plugin Activation
Missing Authorization vulnerability in hashthemes Total total allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total: from n/a through = 2.1.19...
WordPress Zita Site Builder plugin <= 1.0.2 - Arbitrary Plugin Installation and Activation vulnerability
Arbitrary Plugin Installation and Activation vulnerability discovered by stealthcopter Patchstack Alliance in WordPress Plugin Zita Site Builder versions = 1.0.2...
CVE-2023-28416 WordPress Chankhe theme <= 1.0.5 - Authenticated Arbitrary Plugin Activation vulnerability
Missing Authorization vulnerability in sparklewpthemes Chankhe chankhe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chankhe: from n/a through = 1.0.5...
CVE-2023-28532 WordPress Real Estate Directory theme <= 1.0.5 - Authenticated Arbitrary Plugin Activation
Missing Authorization vulnerability in wpdirectorykit.com Real Estate Directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real Estate Directory: from n/a through 1.0.5...
WordPress One Paze theme <= 2.2.8 - Authenticated Arbitrary Plugin Activation/Deactivation to RCE vulnerability
Authenticated Arbitrary Plugin Activation/Deactivation to RCE vulnerability discovered by Mika Patchstack Alliance in WordPress Theme One Paze versions = 2.2.8...
CVE-2024-10578
The Pubnews theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pubnewsimporterpluginactionfornotice function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2024-10578 Pubnews <= 1.0.7 - Authenticated (Subscriber+) Arbitrary Plugin Installation
The Pubnews theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pubnewsimporterpluginactionfornotice function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2024-10578 Pubnews <= 1.0.7 - Authenticated (Subscriber+) Arbitrary Plugin Installation
The Pubnews theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pubnewsimporterpluginactionfornotice function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level...
Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks
Two critical security flaws impacting the Spam protection, Anti-Spam, and FireWall plugin for WordPress could allow an unauthenticated attacker to install and enable malicious plugins on susceptible sites and potentially achieve remote code execution. The vulnerabilities, tracked as CVE-2024-1054...
CVE-2024-10542
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for...
CVE-2024-10542 Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for...