Lucene search
K

166 matches found

Prion
Prion
added 2023/06/16 9:15 a.m.23 views

Code injection

Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API...

4CVSS6.5AI score0.0054EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2023/06/16 8:55 a.m.43 views

CVE-2023-2787 Collapsed Reply Threads APIs leak message contents from private channels

Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API...

6.5CVSS6.7AI score0.0054EPSS
Exploits0References1
CNNVD
CNNVD
added 2023/06/16 12:0 a.m.5 views

Mattermost 安全漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. Mattermost suffers from an Access Control Error vulnerability that stems from not checking the identity of a channel member when accessing a message thread, which can be exploited by an attacker to...

6.5CVSS6.9AI score0.0054EPSS
Exploits0References2
CNNVD
CNNVD
added 2023/06/16 12:0 a.m.6 views

Mattermost 安全漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. Mattermost suffers from an input validation error vulnerability that stems from Mattermost's inability to validate all parameters when creating scripts that run through the /dialog API, which can be...

4.3CVSS6.8AI score0.00402EPSS
Exploits0References2
Prion
Prion
added 2023/04/05 6:15 p.m.18 views

Design/Logic Flaw

The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as...

6.5CVSS8.5AI score0.00723EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2023/03/13 5:15 p.m.3 views

CVE-2023-0772

The Popup Builder by OptinMonster WordPress plugin before 2.12.2 does not ensure that the campaign to be loaded via some shortcodes is actually a campaign, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, like draft, private or even password protecte...

6.5CVSS7AI score0.00778EPSS
Exploits2References1
NVD
NVD
added 2023/03/13 5:15 p.m.12 views

CVE-2023-0772

The Popup Builder by OptinMonster WordPress plugin before 2.12.2 does not ensure that the campaign to be loaded via some shortcodes is actually a campaign, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, like draft, private or even password protecte...

6.5CVSS6.5AI score0.00778EPSS
Exploits2References1
Prion
Prion
added 2023/03/13 5:15 p.m.16 views

Buffer overflow

The Ocean Extra WordPress plugin before 2.1.3 does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones...

4CVSS6.5AI score0.00654EPSS
Exploits2References1Affected Software1
Cvelist
Cvelist
added 2023/03/13 4:3 p.m.26 views

CVE-2023-0749 Ocean Extra < 2.1.3 - Subscriber+ Arbitrary Post Content Disclosure

The Ocean Extra WordPress plugin before 2.1.3 does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones...

6.6AI score0.00654EPSS
Exploits2References1
Vulnrichment
Vulnrichment
added 2023/03/13 4:3 p.m.8 views

CVE-2023-0772 Popup Builder by OptinMonster < 2.12.2 - Subscriber+ Arbitrary Post Content Disclosure

The Popup Builder by OptinMonster WordPress plugin before 2.12.2 does not ensure that the campaign to be loaded via some shortcodes is actually a campaign, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, like draft, private or even password protecte...

6.5AI score0.00778EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2023/03/13 12:0 a.m.7 views

PT-2023-16500 · WordPress · Ocean Extra

Name of the Vulnerable Software and Affected Versions: Ocean Extra WordPress plugin versions prior to 2.1.3 Description: The issue allows any authenticated users, such as subscribers, to retrieve the content of arbitrary posts, including drafts, private, or password-protected ones, by not ensurin...

6.5CVSS9.5AI score0.00654EPSS
Exploits2References5
OSV
OSV
added 2023/02/13 3:15 p.m.2 views

CVE-2023-0405

The GPT AI Power: Content Writer & ChatGPT & Image Generator & WooCommerce Product Writer & AI Training WordPress plugin before 1.4.38 does not perform any kind of nonce or privilege checks before letting logged-in users modify arbitrary posts...

4.3CVSS5.9AI score0.00512EPSS
Exploits2References1
NVD
NVD
added 2023/02/13 3:15 p.m.32 views

CVE-2023-0405

The GPT AI Power: Content Writer & ChatGPT & Image Generator & WooCommerce Product Writer & AI Training WordPress plugin before 1.4.38 does not perform any kind of nonce or privilege checks before letting logged-in users modify arbitrary posts...

5.4CVSS4.9AI score0.00512EPSS
Exploits2References1
Prion
Prion
added 2023/02/13 3:15 p.m.18 views

Design/Logic Flaw

The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected...

5CVSS5.4AI score0.00694EPSS
Exploits2References1Affected Software1
Cvelist
Cvelist
added 2023/02/13 2:32 p.m.22 views

CVE-2022-3891 WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access

The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected...

5.5AI score0.00694EPSS
Exploits2References1
ATTACKERKB
ATTACKERKB
added 2023/01/27 9:15 p.m.2 views

CVE-2023-0550

The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action is indeed a menu...

7.6CVSS6.1AI score0.0065EPSS
Exploits1References4
OSV
OSV
added 2023/01/27 9:15 p.m.4 views

CVE-2023-0550

The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action is indeed a menu...

4.3CVSS5.9AI score
Exploits0References3
Prion
Prion
added 2023/01/27 9:15 p.m.24 views

Design/Logic Flaw

The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action is indeed a menu...

4CVSS4.6AI score0.0065EPSS
Exploits1References3Affected Software1
Prion
Prion
added 2023/01/23 3:15 p.m.14 views

Cross site request forgery (csrf)

The Passster WordPress plugin before 3.5.5.9 does not properly check for password, as well as that the post to be viewed is public, allowing unauthenticated users to bypass the protection offered by the plugin, and access arbitrary posts such as private content, by sending a specifically crafted...

5CVSS7.7AI score0.00818EPSS
Exploits2References1Affected Software1
Prion
Prion
added 2023/01/09 11:15 p.m.19 views

Cross site request forgery (csrf)

The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorisation and CSRF checks when creating a template, and does not ensure that the post created is a template. This could allow any authenticated users, such as subscriber to create a post as well as any post type with an...

4CVSS4.7AI score0.00262EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder