5251 matches found
SP Project & Document Manager <= 4.70 - Authenticated (Subscriber+) Arbitrary Folder Name Update
Description The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdmsavecategory AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with...
Debug Log Manager < 2.3.2 - Missing Authorization via toggle_debugging
Description The Debug Log Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the toggledebugging function in versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with subscriber-level access and...
WooCommerce AWeber Newsletter Subscription < 4.0.3 - Missing Authorization to Access Token Modification
Description The WooCommerce AWeber Newsletter Subscription plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to reset and change...
RomethemeKit For Elementor < 1.4.2 - Missing Authorization
Description The RomethemeKit For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the addNewPost function in versions up to, and including, 1.4.1. This makes it possible for unauthenticated attackers to add new posts...
Google Typography <= 1.1.2 - Missing Authorization
Description The Google Typography plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an...
WP Post Author <= 3.6.5 - Missing Authorization
Description The WP Post Author plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function allowing authenticated attackers, with subscriber-level access and above, to perform an unauthorized action...
Post Grid Master < 3.4.8 - Missing Authorization
Description The Post Grid Master plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ampostgridloadpostsajaxfunctions function in versions up to, and including, 3.4.7. This makes it possible for unauthenticated attackers to load posts...
Custom WooCommerce Checkout Fields Editor < 1.3.2 - Missing Authorization
Description The Custom WooCommerce Checkout Fields Editor plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.3.1. This makes it possible for authenticated attackers, with subscriber-level access and...
CVE-2024-1050 Import and export users and customers <= 1.26.5 - Missing Authorization
The Import and export users and customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxforceresetpassworddeletemetas function in all versions up to, and including, 1.26.5. This makes it possible for authenticated attackers,...
CVE-2024-3237
CVE-2024-3237 affects ConvertPlug/ConvertPlus for WordPress: all versions up to 3.5.25 lack a capability check in cp_dismiss_notice(), enabling authenticated users with subscriber-level access and higher to modify arbitrary options to true. Red Hat and Wordfence references confirm the vulnerabili...
CVE-2024-3237 ConvertPlug <= 3.5.25 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
The ConvertPlug plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cpdismissnotice function in all versions up to, and including, 3.5.25. This makes it possible for authenticated attackers, with subscriber-level access and above, to...
ConvertPlug < 3.5.26 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update
Description The ConvertPlug plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cpdismissnotice function in all versions up to, and including, 3.5.25. This makes it possible for authenticated attackers, with subscriber-level access and...
PT-2024-16320 · WordPress · Export/Import Users/Customers
Name of the Vulnerable Software and Affected Versions: Import and export users and customers plugin for WordPress versions up to, and including, 1.26.5 Description: The issue is related to a missing capability check on the ajax force reset password delete metas function, allowing authenticated...
PT-2024-24538 · WordPress · Convertplug
Name of the Vulnerable Software and Affected Versions: ConvertPlug plugin for WordPress versions up to, and including, 3.5.25 Description: The issue is related to a missing capability check on the cp dismiss notice function, allowing authenticated attackers with subscriber-level access and above ...
Metform Elementor Contact Form Builder < 3.8.4 - Missing Authorization to Notice Dismissal
Description The Metform Elementor Contact Form Builder is vulnerable to unauthorized modification of data due to a missing capability check on the dismissajaxcall function. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices...
CVE-2024-3895
The WP Datepicker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdpaddnewdatepickerajax function in all versions up to, and including, 2.1.0. This makes it possible for authenticated attackers, with subscriber-level access and...
CVE-2024-3942
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on several functions in versions up to, and including, 3.3.8. This makes it possible for authenticate...
CVE-2024-3607
The PropertyHive plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deletekeydate function in all versions up to, and including, 2.0.12. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete...
CVE-2024-3606
The ProfileGrid – User Profiles, Memberships, Groups and Communities plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the pmuploadcoverimage function in all versions up to, and including, 5.8.3. This makes it possible for authenticated...
CVE-2024-3607
The PropertyHive plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deletekeydate function in all versions up to, and including, 2.0.12. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete...