5257 matches found
CVE-2024-5993
The Cliengo – Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updatesession' function in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...
CVE-2024-5704
The XPlainer – WooCommerce Product FAQ WooCommerce Accordion FAQ Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions i.e. ffwinsertnewfaq, ffwhidediscountnotice, ffwdeleteallfaqs, ffwdeletesinglefaq, etc... in all...
CVE-2024-5669
The XPlainer – WooCommerce Product FAQ WooCommerce Accordion FAQ Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ffwactivatetemplate' function in all versions up to, and including, 1.7.0. This makes it possible for...
CVE-2024-5600
The SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check and insufficient sanitization on the importsettings function in all versions up to, and including, 1.3.10. This makes it possible f...
CVE-2024-5600
The SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check and insufficient sanitization on the importsettings function in all versions up to, and including, 1.3.10. This makes it possible f...
CVE-2024-3608
The Product Designer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the productdesignerajaxdeleteattachid function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to delete arbitrary...
CVE-2024-6069 Pie Register - Basic <= 3.8.3.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
The Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pieregisterinstalladdon function in...
CVE-2024-5669
CVE-2024-5669 affects XPlainer – Product FAQs for WooCommerce & AI FAQ Generator (WordPress). Root cause: missing capability check in the ffw_activate_template function across all versions up to 1.6.4, allowing authenticated attackers with Subscriber+ access to store cross-site scripting that tri...
CVE-2024-4102
CVE-2024-4102 affects the Pricing Table plugin for WordPress. The root cause is a missing capability check in the ajax() function across versions up to and including 2.0.1, enabling authenticated attackers with subscriber-level access or higher to perform unauthorized actions such as editing pric...
CVE-2024-5992
CVE-2024-5992 - Cliengo for WordPress : The Cliengo – Chatbot plugin is vulnerable to unauthorized modification of data due to a missing capability check on update_chatbot_token and update_chatbot_position in all versions up to 3.0.1. This allows unauthenticated attackers to change chatbot settin...
CVE-2024-5648 LearnDash LMS - Reports Free <= 1.8.2.1 - Missing Authorization to Plugin Settings Update
The LearnDash LMS – Reports plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions i.e. wrldsetconfiguration, wrldexcludesettingssave, applytimetrackingsettings, wpajaxwrldgutenbergblockvisit, etc.. in all versions up to, and...
CVE-2024-5648 LearnDash LMS - Reports Free <= 1.8.2 - Missing Authorization to Plugin Settings Update
The LearnDash LMS – Reports plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...
CVE-2024-5856 Comment Images Reloaded <= 2.2.1 - Authenticated (Subscriber+) Arbitrary Media Deletion
The Comment Images Reloaded plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the cirdeleteimage AJAX action in all versions up to, and including, 2.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...
CVE-2024-5600
CVE-2024-5600 concerns the WordPress plugin “SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue.” The vulnerability is a Stored Cross-Site Scripting (XSS) due to a missing capability check and insufficient sanitization in the import_settings() function. It affects all versions up to an...
CVE-2024-5600 Happy SCSS Compiler - Compile SCSS to CSS automatically <= 1.3.10 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
The SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check and insufficient sanitization on the importsettings function in all versions up to, and including, 1.3.10. This makes it possible f...
CVE-2024-3608
CVE-2024-3608 affects the Product Designer plugin for WordPress. It enables unauthenticated attackers to delete arbitrary attachments due to a missing capability check in product_designer_ajax_delete_attach_id() in versions up to 1.0.33. The vulnerability status and exact impacted versions are do...
CVE-2024-5704
CVE-2024-5704 affects the XPlainer – Product FAQs for WooCommerce (WordPress); all versions up to 1.6.4 are vulnerable due to missing capability checks on several admin functions. This allows authenticated attackers with Subscriber-level access and above to add, update, and modify FAQs, FAQ lists...
CVE-2024-6167 Just Custom Fields <= 3.3.2 - Missing Authorization via AJAX actions
The Just Custom Fields plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several AJAX functions in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...
CVE-2024-6167
The CVE-2024-6167 issue in the Just Custom Fields WordPress plugin is a missing capability check in several admin AJAX functions, enabling authenticated users with Subscriber-level access (and above) to invoke admin‑only functionality such as managing field groups and item visibility. Affected ve...
CVE-2024-5993
CVE-2024-5993 (Cliengo – Chatbot plugin for WordPress) affects all versions up to 3.0.1. Red Hat’s entry indicates the root cause is a missing capability check in the update_session function, enabling authenticated users with Subscriber-level access and above to modify the chatbot session token. ...