5257 matches found
CVE-2023-3352
The Smush plugin for WordPress is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the deleteresmushlist function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to delete the resmush list for Nextgen ...
CVE-2024-1955
CVE-2024-1955 affects the WordPress plugin Hide Dashboard Notifications (up to v1.3). Root cause: missing capability check in the warning_notices_settings function, enabling authenticated attackers with contributor+ rights to modify the plugin’s settings. Impact: unauthorized modification of data...
CVE-2023-3352 Smush – Lazy Load Images, Optimize & Compress Images <= 3.16.4 - Missing Authorization to Resmush List Deletion
The Smush plugin for WordPress is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the deleteresmushlist function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to delete the resmush list for Nextgen ...
CVE-2024-3610 WP Child Theme Generator <= 1.1.1 - Missing Authorization to Unauthenticated Child Theme Creation/Activation
The WP Child Theme Generator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wctgeasychildtheme function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to create a blank child theme...
CVE-2024-1639
CVE-2024-1639 affects License Manager for WooCommerce (WordPress). All versions up to 3.0.7 allow an authenticated admin (contributors, per WooCommerce) to view arbitrary decrypted license keys due to missing capability checks in showLicenseKey() and showAllLicenseKeys(). A referrer nonce check e...
CVE-2024-3610
CVE-2024-3610 affects the WP Child Theme Generator plugin for WordPress. The underlying issue is a missing capability check in wctg_easy_child_theme(), allowing unauthenticated attackers to create a blank child theme and activate it, potentially whitescreening the site. Affected versions are all ...
CVE-2024-3627
The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. This makes it possible...
CVE-2024-3602
The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnectpromolayer function in all versions up to, and including, 1.1.0. This...
CVE-2024-3602
The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnectpromolayer function in all versions up to, and including, 1.1.0. This...
CVE-2024-3627
CVE-2024-3627 affects Wheel of Life: Coaching and Assessment Tool for Life Coach (WordPress). The WordPress plugin versions up to 1.1.7 are vulnerable due to missing authorization checks in AjaxFunctions.php, allowing authenticated attackers with subscriber-level access or higher to delete arbitr...
CVE-2024-3627 Wheel of Life: Coaching and Assessment Tool for Life Coach <= 1.1.7 - Missing Authorization on Several AJAX Endpoints
The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. This makes it possible...
PT-2024-26942 · WordPress · The Wheel Of Life: Coaching/Assessment Tool For Life Coach
Name of the Vulnerable Software and Affected Versions: The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress versions up to, and including, 1.1.7 Description: The issue is related to a missing capability check on several functions in the AjaxFunctions.php file. This...
PT-2024-26848 · WordPress · Promolayer
Name of the Vulnerable Software and Affected Versions: Promolayer plugin for WordPress versions up to, and including, 1.1.0 Description: The Promolayer plugin for WordPress is affected by an issue that allows unauthorized updates to plugin settings. This is due to a missing capability check on th...
PT-2024-26891 · WordPress · Wp Child Theme Generator
Name of the Vulnerable Software and Affected Versions: WP Child Theme Generator plugin for WordPress versions up to, and including, 1.1.1 Description: The issue is related to a missing capability check on the wctg easy child theme function, allowing unauthorized modification of data. This enables...
CVE-2024-5768
The MIMO Woocommerce Order Tracking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mimoupdateprovider' function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2024-4450
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.6. This makes it possible for authenticated attackers, with...
CVE-2024-5768 MIMO Woocommerce Order Tracking <= 1.0.2 - Missing Authorization to Authenticated (Contributor+) Stored Cross-Site Scripting
The MIMO Woocommerce Order Tracking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mimoupdateprovider' function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2024-5768
CVE-2024-5768 affects MIMO Woocommerce Order Tracking (WordPress). The vulnerability is due to a missing capability check in mimo_update_provider, affecting all versions up to and including 1.0.2. Exploitation requires Subscriber+ authenticated access and can enable unauthorized modification of s...
CVE-2024-4450
CVE-2024-4450 affects AliExpress Dropshipping with AliNext Lite for WordPress. The issue is a missing capability check in several functions of ImportAjaxController.php, affecting all versions up to 3.3.5. This allows authenticated attackers with subscriber-level access and above to perform action...
PT-2024-31164 · WordPress · Aliexpress Dropshipping With Alinext Lite
Name of the Vulnerable Software and Affected Versions: AliExpress Dropshipping with AliNext Lite plugin for WordPress versions up to, and including, 3.3.5 Description: The issue is related to a missing capability check on several functions in the ImportAjaxController.php file. This allows...