5257 matches found
CVE-2024-5993 Cliengo - Chatbot <= 3.0.2 - Missing Authorization to Authorized (Subscriber+) Chatbot Settings Update
The Cliengo – Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updatesession' function in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...
CVE-2024-6180
CVE-2024-6180 — EventON WordPress plugin is vulnerable due to a missing capability check on the ajax action eventon_import_settings, affecting all versions up to 2.2.15. This allows unauthenticated attackers to modify plugin settings, including injecting stored XSS into settings displayed on the ...
CVE-2024-6180 EventON <= 2.2.15 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates
The EventON plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eventonimportsettings' ajax action in all versions up to, and including, 2.2.15. This makes it possible for unauthenticated attackers to update plugin settings, including...
CVE-2024-5855
The Media Hygiene: Remove or Delete Unused Images and More! plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the bulkactiondelete and deletesingleimagecall AJAX actions in all versions up to, and including, 3.0.1. This makes it possible for...
CVE-2024-5855 Media Hygiene <= 3.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion
The Media Hygiene: Remove or Delete Unused Images and More! plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the bulkactiondelete and deletesingleimagecall AJAX actions in all versions up to, and including, 3.0.1. This makes it possible for...
CVE-2024-5855
CVE-2024-5855 affects the WordPress plugin Media Hygiene: Remove or Delete Unused Images and More! It allows authenticated users with Subscriber+ privileges to delete arbitrary attachments due to a missing capability check on bulk_action_delete and delete_single_image_call. A nonce check was adde...
PT-2024-29203 · WordPress · Pricing Table
Name of the Vulnerable Software and Affected Versions: Pricing Table plugin for WordPress versions up to, and including, 2.0.1 Description: The issue arises from a missing capability check on the ajax function, allowing authenticated attackers with subscriber-level access and above to perform...
PT-2024-37298 · WordPress · Cliengo – Chatbot
Name of the Vulnerable Software and Affected Versions: The Cliengo – Chatbot plugin for WordPress versions up to, and including, 3.0.1 Description: The issue is related to a missing capability check on the update session function, allowing authenticated attackers with Subscriber-level access and...
PT-2024-36999 · Woocommerce · Xplainer - Woocommerce Product Faq
Name of the Vulnerable Software and Affected Versions: The XPlainer – WooCommerce Product FAQ WooCommerce Accordion FAQ Plugin versions up to, and including, 1.6.4 Description: The issue allows authenticated attackers with Subscriber-level access and above to modify data without proper...
PT-2024-37427 · WordPress · Just Custom Fields
Name of the Vulnerable Software and Affected Versions: The Just Custom Fields plugin for WordPress versions up to, and including, 3.3.2 Description: The issue allows authenticated attackers with Subscriber-level access and above to invoke functionality intended for admin users due to a missing...
PT-2024-26888 · WordPress · Product Designer
Name of the Vulnerable Software and Affected Versions: Product Designer plugin for WordPress versions up to, and including, 1.0.33 Description: The issue is related to a missing capability check on the product designer ajax delete attach id function, which allows unauthorized loss of data. This...
PT-2024-37194 · WordPress · Media Hygiene
Name of the Vulnerable Software and Affected Versions: Media Hygiene: Remove or Delete Unused Images and More! plugin for WordPress versions up to, and including, 3.0.1 Description: The issue is related to a missing capability check on the bulk action delete and delete single image call AJAX...
CVE-2024-5641
The One Click Order Re-Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cedocorsavegeneralsetting' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2024-5641
The One Click Order Re-Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cedocorsavegeneralsetting' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2024-5641 One Click Order Re-Order <= 1.1.9 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
The One Click Order Re-Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cedocorsavegeneralsetting' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2024-5641
CVE-2024-5641 affects the One Click Order Re-Order plugin for WordPress (all versions up to 1.1.9). The issue is unauthorized modification of data due to a missing capability check in the ced_ocor_save_general_setting function, enabling authenticated users with Subscriber level access and above t...
CVE-2024-6088
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user...
CVE-2024-6088 LearnPress – WordPress LMS Plugin <= 4.2.6.8.1 - Missing Authorization to Unauthenticated User Registration Bypass
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user...
CVE-2024-6012 Cost Calculator Builder <= 3.2.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Creation
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-pages' functions in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers, wit...
CVE-2024-6012
CVE-2024-6012 affects the Cost Calculator Builder plugin for WordPress. The vulnerability arises from a missing capability check in embed-create-page and embed-insert-pages, affecting all versions up to and including 3.2.12. This permits authenticated attackers with Subscriber-level access or hig...