5256 matches found
CVE-2024-4445 WP Compress – Image Optimizer [All-In-One] <= 6.20.01 - Missing Authorization
The WP Compress – Image Optimizer All-In-One plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, and including, 6.20.01. This makes it possible for authenticated attackers, with subscriber-level...
CVE-2024-0870
CVE-2024-0870 (YITH WooCommerce Gift Cards for WordPress) is an unauthenticated data-modification vulnerability caused by a missing capability check on save_mail_status and save_email_settings. Affected versions are all up to and including 4.12.0. The issue enables unauthenticated attackers to mo...
Email Subscribers by Icegram Express < 5.7.20 - Missing Authorization in handle_ajax_request
Description The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handleajaxrequest function in all versions up to, and including, 5.7.19. This makes it possible f...
CVE-2024-4280
CVE-2024-4280 concerns the White Label CMS plugin for WordPress. The vulnerability arises from a missing capability check in the reset_plugin function, affecting all versions up to and including 2.7.3, which could allow unauthenticated attackers to reset plugin settings. The CVE is documented as ...
PT-2024-30172 · WordPress · White Label Cms
Name of the Vulnerable Software and Affected Versions: White Label CMS plugin for WordPress versions prior to 2.7.4 Description: The issue allows unauthorized modification of data due to a missing capability check on the reset plugin function. This makes it possible for unauthenticated attackers ...
CVE-2024-3915
CVE-2024-3915 affects the Swift Framework WordPress plugin (versions up to and including 2.7.31). The root cause is a missing capability check in sf_edit_directory_item(), enabling unauthenticated attackers to modify arbitrary posts/content. Impact per available data is limited to integrity (LOW)...
CVE-2024-3722 Swift Performance Lite <= 2.3.6.18 - Incorrect Authorization to Authenticated (Subscriber+) Settings Modification
The Swift Performance Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.3.6.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to retriev...
CVE-2024-3722
The CVE-2024-3722 entry concerns the Swift Performance Lite WordPress plugin. It describes an unauthorized access vulnerability caused by a missing capability check in ajax_handler(), affecting all versions up to and including 2.3.6.18. The issue can be exploited by authenticated attackers with s...
CVE-2023-6327 ShopLentor (formerly WooLentor) <= 2.8.7 - Missing Authorization via purchased_new_products
The ShopLentor formerly WooLentor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the purchasednewproducts function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to view all products purchas...
CVE-2024-1693 SP Project & Document Manager <= 4.70 - Authenticated (Subscriber+) Arbitrary Folder Name Update
The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdmsavecategory AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with subscriber-level acce...
CVE-2024-1693
The CVE-2024-1693 vulnerability affects the SP Project & Document Manager WordPress plugin. It arises from a missing capability check on the cdm_save_category AJAX action, enabling authenticated users with subscriber-level access and higher to rename arbitrary folders they do not own. Affected ve...
Max Mega Menu < 3.3.1 - Missing Authorization
Description The Max Mega Menu plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the sandbox function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger the...
PT-2024-27388 · WordPress · Swift Performance Lite
Name of the Vulnerable Software and Affected Versions: Swift Performance Lite plugin for WordPress versions up to, and including, 2.3.6.18 Description: The issue allows authenticated attackers with subscriber-level access and above to retrieve and modify settings due to a missing capability check...
White Label CMS < 2.7.4 - Missing Authorization to Plugin Settings Reset
Description The White Label CMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the resetplugin function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to reset plugin settings...
PT-2024-17530 · WordPress · Simpleshop
Name of the Vulnerable Software and Affected Versions: SimpleShop plugin for WordPress versions prior to 2.10.3 Description: The issue arises from a missing capability check on the maybe disconnect simpleshop function, allowing unauthenticated attackers to disconnect SimpleShop. Recommendations:...
PT-2024-14930 · WordPress · Shoplentor
Name of the Vulnerable Software and Affected Versions: ShopLentor plugin for WordPress versions up to, and including, 2.8.7 Description: The issue allows unauthorized access to data due to a missing capability check on the purchased new products function. This enables unauthenticated attackers to...
PT-2024-28362 · WordPress · Swift Framework
Name of the Vulnerable Software and Affected Versions: Swift Framework plugin for WordPress versions prior to 2.7.32 Description: The issue allows unauthorized modification of data due to a missing capability check on the sf edit directory item function. This enables unauthenticated attackers to...
Swift Performance Lite < 2.3.6.19 - Subscriber+ Settings Update
Description The plugin is vulnerable to unauthorized access due to a missing capability check on the ajaxhandler function, allowing authenticated attackers, with subscriber-level access and above, to retrieve and modify settings...
CVE-2023-6810
The ClickCease Click Fraud Protection plugin for WordPress is vulnerable to unauthorized access of data due to an improper capability check on the getsettings function in all versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with author access and above, to...
CVE-2023-6810
The CVE describes CVE-2023-6810: ClickCease Click Fraud Protection (WordPress) has an improper capability check in get_settings, allowing authenticated users with author access and above to retrieve the plugin’s API keys. Affected versions are up to 3.2.4. The Red Hat entry and Wordfence state th...