5256 matches found
CVE-2024-2043
The CVE CVE-2024-2043 concerns the EleForms – All In One Form Integration including DB for Elementor WordPress plugin. A missing capability check when downloading form submissions allows unauthenticated users to view submissions in all versions up to and including 2.9.9.7. Root cause: absent auth...
CVE-2024-1677
CVE-2024-1677 affects the WordPress plugin Print Labels with Barcodes for WooCommerce. Root cause: improper capability checks on 42 AJAX functions, enabling authenticated users with subscriber access and above to fully control the plugin, including modifying settings, and creating, editing, retri...
CVE-2024-1688
CVE-2024-1688 affects the Woo Total Sales plugin for WordPress. The vulnerability is due to a missing capability check in get_orders_archive(), allowing unauthenticated attackers to retrieve sales reports. Impact: information exposure of store sales data across all versions up to and including 3....
CVE-2024-3599
CVE-2024-3599 affects WP Cookie Consent for WordPress (up to v3.0.2). Root cause: missing capability check in gdpr_policy_process_delete(). Vulnerability allows unauthenticated deletion of arbitrary posts. Remediation: upgrade to a version higher than 3.0.2 or apply vendor patch (details in conne...
CVE-2024-3599 WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.0.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion
The WP Cookie Consent for GDPR, CCPA & ePrivacy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the gdprpolicyprocessdelete function in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to delete...
CVE-2024-3071 ACF On-The-Go <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Update
The ACF On-The-Go plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the acfgupdatefields function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to...
CVE-2024-3071
CVE-2024-3071 affects the ACF On-The-Go plugin for WordPress. The issue is a missing capability check in acfg_update_fields(), making authenticated users with subscriber level access and above able to modify arbitrary post titles, descriptions, and ACF values in all versions up to 1.0.1. Publicly...
CVE-2024-3895 WP Datepicker <= 2.1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
The WP Datepicker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdpaddnewdatepickerajax function in all versions up to, and including, 2.1.0. This makes it possible for authenticated attackers, with subscriber-level access and...
CVE-2024-3895
The WP Datepicker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in wpdp_add_new_datepicker_ajax() across all versions up to 2.1.0. Authenticated attackers with subscriber-level access and above can update arbitrary options that may lead ...
CVE-2024-3895 WP Datepicker <= 2.1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
The WP Datepicker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdpaddnewdatepickerajax function in all versions up to, and including, 2.1.0. This makes it possible for authenticated attackers, with subscriber-level access and...
CVE-2024-3546 WordPress Backup & Migration <= 1.4.8 - Missing Authorization to Directory Traversal
The WordPress Backup & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpmgdppopulatepopup function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with subscriber access or above...
CVE-2024-3546
CVE-2024-3546 affects the WordPress Backup & Migration plugin (wp-migration-duplicator) for WordPress, up to version 1.4.8. The root cause is a missing capability check in wp_mgdp_populate_popup, enabling authenticated attackers with subscriber access or higher to invoke the function and access l...
CVE-2024-3546 WordPress Backup & Migration <= 1.4.8 - Missing Authorization to Directory Traversal
The WordPress Backup & Migration plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpmgdppopulatepopup function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with subscriber access or above...
CVE-2024-1584
CVE-2024-1584 affects Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy). The issue is a missing capability check in wpa_check_authentication across all versions up to 5.2.1, enabling unauthorized modification of the site’s Google Analytics tracking ID by unauthenticat...
CVE-2024-3206
The CVE CVE-2024-3206 concerns the WordPress plugin "Different Menu in Different Pages – Control Menu Visibility (All in One)". The vulnerability arises from a missing capability check in the ajax() function across all versions up to 2.3.2, enabling authenticated attackers with subscriber-level a...
CVE-2024-3206 Different Menu in Different Pages – Control Menu Visibility (All in One) <= 2.3.2 - Missing Authorization to Menu Duplication
The Different Menu in Different Pages – Control Menu Visibility All in One plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax function in all versions up to, and including, 2.3.2. This makes it possible for authenticated attackers, with...
CVE-2024-3520 Country State City Dropdown CF7 <= 2.7.1 - Missing Authorization
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tccscapatchsettings function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber access...
CVE-2024-3520
The Country State City Dropdown CF7 WordPress plugin has a root-cause issue: a missing capability check in tc_csca_patch_settings leading to unauthorized data modification. Affected versions are all up to 2.7.1; authenticated users with subscriber rights and above can add states/cities to the dro...
CVE-2024-3585
CVE-2024-3585 describes a vulnerability in the Send PDF for Contact Form 7 plugin for WordPress. It permits unauthenticated access to form submissions (including PDFs) due to a missing capability check on the hooks function in all versions up to and including 1.0.2.3, enabling information exposur...
CVE-2024-3581 MaxGalleria <= 6.4.2 - Missing Authorization
The MaxGalleria plugin for WordPress is vulnerable to unauthorized image upload due to a missing capability check on the addmedialibraryimagestogallery function in all versions up to, and including, 6.4.2. This makes it possible for authenticated attackers, with subscriber access or above, to...