45 matches found
WordPress Fancy Product Designer plugin server-side request forgery vulnerability
WordPress Fancy Product Designer plugin is an e-commerce plugin designed for the WordPress platform, mainly used to implement the product online customization function. A server-side request forgery vulnerability exists in the WordPress Fancy Product Designer plugin, which stems from the presence...
EUVD-2025-60969
The Crypto plugin for WordPress is vulnerable to unauthorized manipulation of data in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action wpajaxnoprivcryptoconnectajaxprocess that allows calling the cryptodeletejson method with only a...
Linux Distros Unpatched Vulnerability : CVE-2025-43926
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in Znuny through 6.5.14 and 7.x through 7.1.6. Custom AJAX calls to the AgentPreferences UpdateAJAX subaction can be used to set user...
CVE-2021-24988
The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprssdismissaddonnotice AJAX action missing authorisation and CSRF checks, allowing any authenticated...
CVE-2021-24948
The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tpgetdlpostinfoajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts...
CVE-2021-24910
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a parameter via an AJAX action available to both unauthenticated and authenticated users when the curl library is installed before outputting it back in the response, leading to a Reflected Cross-Si...
WordPress plugin Ni Sales Commission For WooCommerce 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...
PT-2024-16660 · WordPress · Authors List
Name of the Vulnerable Software and Affected Versions: The Authors List plugin for WordPress versions up to, and including, 2.0.4 Description: The issue allows unauthenticated attackers to execute arbitrary shortcodes due to the software permitting users to execute an action that does not properl...
CVE-2020-36840
The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wpajaxrouteurl function called via a nopriv AJAX action in versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers t...
CVE-2021-4445
The Premium Addons for Elementor plugin for WordPress is vulnerable to Arbitrary Option Updates in versions up to, and including, 4.5.1. This is due to missing capability and nonce checks in the padismissadminnotice AJAX action. This makes it possible for authenticated subscriber+ attackers to...
PT-2024-37849 · WordPress · Social Auto Poster
Name of the Vulnerable Software and Affected Versions: Social Auto Poster plugin for WordPress versions up to, and including, 5.3.14 Description: The issue is related to Stored Cross-Site Scripting via the mapTypes parameter in the 'wpw auto poster map wordpress post type' AJAX function due to...
WordPress plugin WPFront User Role Editor 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blogging sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerabilit...
DEBIAN-CVE-2021-47169
In the Linux kernel, the following vulnerability has been resolved: serial: rp2: use 'requestfirmware' instead of 'requestfirmwarenowait' In 'rp2probe', the driver registers 'rp2uartinterrupt' then calls 'rp2fwcb' through 'requestfirmwarenowait'. In 'rp2fwcb', if the firmware don't exists, functi...
VulnCheck KEV: CVE-2021-24285
The requestlistrequest AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the orderid POST parameter before using it in a SQL statement, leading to a SQL...
PT-2024-15402 · Zoom · Zoom
Name of the Vulnerable Software and Affected Versions: EventON WordPress plugin versions prior to 4.5.5 EventON WordPress plugin versions prior to 2.2.7 Description: The issue allows unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set, du...
VulnCheck KEV: CVE-2022-0769
The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the datatarget parameter before it is being interpolated in an SQL statement and then executed via the ratingvote AJAX action available to both unauthenticated and authenticated users, leading to an SQL...
VulnCheck KEV: CVE-2022-4117
The IWS WordPress plugin through 1.0 does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection...
CVE-2023-4600
The AffiliateWP for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'affwpactivateaddonspageplugin' function called via an AJAX action in versions up to, and including, 2.14.0. This makes it possible for authenticated attackers, with...
PT-2022-13289 · WordPress · The Professional Social Sharing Buttons
Name of the Vulnerable Software and Affected Versions: The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin versions prior to 9.7.6 Description: The issue is related to a lack of proper authorization check in one of the AJAX actions, allowing unauthorized access to...
CVE-2022-1659
Vulnerable versions of the JupiterX Core = 2.0.6 plugin register an AJAX action jupiterxconditionalmanager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the subaction parameter. This can be used to view...