Lucene search
K

166 matches found

Prion
Prion
added 2023/01/09 11:15 p.m.27 views

Cross site request forgery (csrf)

The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorization and CSRF checks when deleting a template and does not ensure that the post to be deleted is a template. This could allow any authenticated users, such as subscribers, to delete arbitrary posts assuming they know...

2.1CVSS4.2AI score0.00251EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2022/12/26 12:28 p.m.34 views

CVE-2022-4239 Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR

The Workreap WordPress theme before 2.6.4 does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreapaddonsserviceremove action, allowing any user to delete any post by knowing or guessing the id...

6.7AI score0.00593EPSS
Exploits2References1
WPVulnDB
WPVulnDB
added 2022/12/02 12:0 a.m.13 views

Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR

The theme does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreapaddonsserviceremove action, allowing any user to delete any post by knowing or guessing the id. PoC POST /testt/wp-admin/admin-ajax.php HTTP/...

6.5CVSS2.3AI score0.00593EPSS
Exploits2Affected Software1
wpexploit
wpexploit
added 2022/12/02 12:0 a.m.106 views

Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR

The theme does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreapaddonsserviceremove action, allowing any user to delete any post by knowing or guessing the id. POST /testt/wp-admin/admin-ajax.php HTTP/2...

6.5CVSS2.4AI score0.00593EPSS
Exploits2
CNNVD
CNNVD
added 2022/06/16 12:0 a.m.9 views

Online Discussion Forum Site 安全漏洞

Sourcecodester Online Discussion Forum Site is an application of Sourcecodester. An online discussion forum. A security vulnerability exists in Online Discussion Forum Site. An attacker can exploit this vulnerability to delete arbitrary posts via the deletepost function...

7.5CVSS7.5AI score0.01344EPSS
Exploits2References3
CNNVD
CNNVD
added 2022/04/25 12:0 a.m.21 views

WordPress plugin myCred 安全漏洞

WordPress is a set of blogging platform developed using the PHP language. myCred 2.4.4, a WordPress plugin, previously had an authorization issue vulnerability, which stems from the plugin's failure to perform any authorization and CSRF checks in the myCred tool's import and export AJAX operation...

4.3CVSS5.8AI score0.00333EPSS
Exploits1References3
NVD
NVD
added 2022/03/28 6:15 p.m.18 views

CVE-2021-24978

The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wpajaxnopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete ...

5.3CVSS0.00519EPSS
Exploits2References1
Prion
Prion
added 2022/03/28 6:15 p.m.13 views

Cross site request forgery (csrf)

The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wpajaxnopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete ...

5CVSS5.4AI score0.00519EPSS
Exploits2References1Affected Software1
CNVD
CNVD
added 2022/03/02 12:0 a.m.20 views

Wordpress Orange Form Plugin Cross-Site Request Forgery Vulnerability

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blogging sites on PHP and MySQL servers. cross-site request forgery vulnerability exists in Wordpress Orange Form Plugin 1.0.1 and prior versions,...

4.3CVSS2.4AI score0.00426EPSS
Exploits2References1
NVD
NVD
added 2022/02/28 9:15 a.m.27 views

CVE-2021-24688

The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the ordeletefiled one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing...

4.3CVSS0.00426EPSS
Exploits2References1
Prion
Prion
added 2022/02/28 9:15 a.m.21 views

Cross site request forgery (csrf)

The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings...

3.5CVSS5.7AI score0.0042EPSS
Exploits2References2Affected Software1
Prion
Prion
added 2022/02/28 9:15 a.m.16 views

Cross site request forgery (csrf)

The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the ordeletefiled one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing...

4.3CVSS4.8AI score0.00426EPSS
Exploits2References1Affected Software1
Cvelist
Cvelist
added 2022/02/28 9:6 a.m.27 views

CVE-2021-25011 WP Google Map < 1.8.1 - Subscriber+ Arbitrary Post Deletion and Plugin's Settings Update

The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings...

5.9AI score0.0042EPSS
Exploits2References2
CNVD
CNVD
added 2022/01/26 12:0 a.m.20 views

WordPress Qubely plugin cross-site request forgery vulnerability

WordPress is the WordPress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site request forgery vulnerability exists in versions prior to 1.7.8 of the Qubely plugin for WordPress, which...

4CVSS3AI score0.00429EPSS
Exploits2Affected Software1
CNVD
CNVD
added 2022/01/26 12:0 a.m.18 views

WordPress Ultimate FAQ plugin cross-site request forgery vulnerability

WordPress is the WordPress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. cross-site request forgery vulnerability exists in versions prior to 2.1.2 of the Ultimate FAQ plugin for...

3.5CVSS3.3AI score0.00426EPSS
Exploits2Affected Software1
OSV
OSV
added 2022/01/24 8:15 a.m.4 views

CVE-2021-25013

The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubelydeletesavedblock AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts...

6.5CVSS6.7AI score0.00429EPSS
Exploits2References1
OSV
OSV
added 2022/01/24 8:15 a.m.9 views

CVE-2021-24989

The Accept Donations with PayPal WordPress plugin before 1.3.4 does not have CSRF check in place and does not ensure that the post to be deleted belongs to the plugin, allowing attackers to make a logged in admin delete arbitrary posts from the blog...

6.5CVSS5.9AI score0.00538EPSS
Exploits2References1
Prion
Prion
added 2022/01/24 8:15 a.m.17 views

Cross site request forgery (csrf)

The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubelydeletesavedblock AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts...

4CVSS6.4AI score0.00429EPSS
Exploits2References1Affected Software1
CNNVD
CNNVD
added 2022/01/24 12:0 a.m.6 views

WordPress 跨站请求伪造漏洞

WordPress is the WordPress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site request forgery vulnerability exists in versions prior to 1.7.8 of the Qubely plugin for WordPress, which...

6.5CVSS5.7AI score0.00429EPSS
Exploits2References2
WPVulnDB
WPVulnDB
added 2022/01/03 12:0 a.m.20 views

Document Embedder < 1.7.5 - Unauthenticated Arbitrary Private/Draft Post Title Disclosure

The plugin contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts. PoC https://example.com/wp-json/doc/v1/single/509 509 being the ID of a private/draft Post...

5.3CVSS1.5AI score0.01327EPSS
Exploits2Affected Software1
Rows per page
Query Builder