320 matches found
CVE-2023-33923 Broken Access Control leading to Arbitrary Plugin Activation in multiple HashThemes themes
Missing Authorization vulnerability in HashThemes Viral News, HashThemes Viral, HashThemes HashOne.This issue affects Viral News: from n/a through 1.4.5; Viral: from n/a through 1.8.0; HashOne: from n/a through 1.3.0...
CVE-2023-6985
The 10Web AI Assistant – AI content writing assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the installplugin AJAX action in all versions up to, and including, 1.0.18. This makes it possible for authenticated attackers, with...
WordPress Ocean Extra Plugin < 2.2.3 CSRF Vulnerability
The WordPress plugin SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:oceanwp:oceanextra"; if description...
CVE-2023-40201
Cross-Site Request Forgery CSRF vulnerability in FuturioWP Futurio Extra plugin = 1.8.4 versions leads to activation of arbitrary plugin...
CVE-2023-40201
Cross-Site Request Forgery CSRF vulnerability in FuturioWP Futurio Extra plugin = 1.8.4 versions leads to activation of arbitrary plugin...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in FuturioWP Futurio Extra plugin = 1.8.4 versions leads to activation of arbitrary plugin...
CVE-2023-2916
The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'adminnotice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. ...
CVE-2023-2916 InfiniteWP Client <= 1.11.1 - Authenticated (Subscriber+) Sensitive Information Exposure
The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'adminnotice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. ...
Exploit for Missing Authorization in Wpdeveloper Simple_301_Redirects
CVE-2021-24356 Simple 301 Redirects by BetterLinks - 2.0.0 – 2...
CVE-2023-2877
The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the...
CVE-2023-2280
The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajaxpublic' function in versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to delete or change plugin...
CVE-2022-4950
Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber...
CVE-2020-36731
The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction function...
CVE-2020-36719
The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lpccaddonsactions function. This makes it possible for unauthenticated attacker...
CVE-2020-36719
The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lpccaddonsactions function. This makes it possible for unauthenticated attacker...
CVE-2019-25149
The Gallery Images Ape plugin for WordPress is vulnerable to Arbitrary Plugin Deactivation in versions up to, and including, 2.0.6. This allows authenticated attackers with any capability level to deactivate any plugin on the site, including plugins necessary to site functionality or security...
Design/Logic Flaw
The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lpccaddonsactions function. This makes it possible for unauthenticated attacker...
CVE-2022-4950
CVE-2022-4950 affects WordPress plugins developed by Cool Plugins. Affected component is arbitrary plugin installation/activation that can lead to remote code execution by authenticated users with minimal permissions (e.g., subscriber). Attack vector inferred as network-based from CVSS metrics, w...
CVE-2019-25149 Gallery Images Ape <= 2.0.6 - Authenticated Plugin Deactivation
The Gallery Images Ape plugin for WordPress is vulnerable to Arbitrary Plugin Deactivation in versions up to, and including, 2.0.6. This allows authenticated attackers with any capability level to deactivate any plugin on the site, including plugins necessary to site functionality or security...
CVE-2019-25149 Gallery Images Ape <= 2.0.6 - Authenticated Plugin Deactivation
The Gallery Images Ape plugin for WordPress is vulnerable to Arbitrary Plugin Deactivation in versions up to, and including, 2.0.6. This allows authenticated attackers with any capability level to deactivate any plugin on the site, including plugins necessary to site functionality or security...