CVE-2024-3662

CVE-2024-3662 affects the WPZOOM Social Feed Widget & Block plugin for WordPress. The vulnerability is due to a missing capability check in the function wpzoom_instagram_clear_data(), present in all versions up to and including 2.1.13. This allows authenticated attackers with subscriber-level acc...

CVE-2024-3662 WPZOOM Social Feed Widget & Block <= 2.1.13 - Missing Authorization to Authenticated (Subscriber+) Instagram Image Deletion

The WPZOOM Social Feed Widget & Block plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpzoominstagramcleardata function in all versions up to, and including, 2.1.13. This makes it possible for authenticated attackers, with subscriber-level access...

CVE-2024-3027

The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the upload function in all versions up to, and including, 3.5.1.22. This makes it possible for authenticated attackers, with contributor-level access and above, to uploa...

CVE-2024-3027 Smart Slider 3 <= 3.5.1.22 - Missing Authorization to Limited File Upload

The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the upload function in all versions up to, and including, 3.5.1.22. This makes it possible for authenticated attackers, with contributor-level access and above, to uploa...

CVE-2024-3027 Smart Slider 3 <= 3.5.1.22 - Missing Authorization to Limited File Upload

The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the upload function in all versions up to, and including, 3.5.1.22. This makes it possible for authenticated attackers, with contributor-level access and above, to uploa...

PT-2024-27098 · Wpzoom · Wpzoom Social Feed Widget & Block

Name of the Vulnerable Software and Affected Versions: WPZOOM Social Feed Widget & Block plugin for WordPress versions up to, and including, 2.1.13 Description: The issue is related to unauthorized access due to a missing capability check on the wpzoom instagram clear data function. This allows...

Responsive Lightbox < 2.4.7 - Information Disclosure

Description The plugin is vulnerable to unauthorized access due to a missing capability check on the galleryattributes function in versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with contributor-level access and above, to view post content they shouldn't...

Ivory Search – WordPress Search Plugin < 5.5.6 - Subscriber+ Index Creation

Description The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxcreateindex function in all versions up to, and including, 5.5.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger index...

Church Admin < 4.1.7 - Missing Authorization

Description The Church Admin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the several functions in versions up to, and including, 4.1.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform...

WP Sort Order < 1.3.2 - Missing Authorization

Description The WP Sort Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions such as updatemenuorder in versions up to, and including, 1.3.1. This makes it possible for authenticated attackers, with subscriber-level...

Soledad < 8.4.6 - Missing Authorization

Description The Soledad theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.4.5. This makes it possible for unauthenticated attackers to perform an unauthorized action...

WP2LEADS < 3.2.8 - Missing Authorization

Description The WP2LEADS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions such as importmaps in versions up to, and including, 3.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

PostX – Gutenberg Blocks for Post Grid < 3.2.4 - Incorrect Authorization

Description The PostX – Gutenberg Blocks for Post Grid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with author-level access an...

EmbedPress < 3.9.9 - Missing Authorization via handle_calendly_data

Description The EmbedPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the handlecalendlydata function in versions up to, and including, 3.9.8. This makes it possible for unauthenticated attackers to update calendly settings...

Bricksforge < 2.1.1 - Missing Authorization to Unauthenticated WordPress Settings Update

Description The Bricksforge plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.0.17. This makes it possible for unauthenticated attackers to update arbitrary WordPress settings...

Soledad < 8.4.6 - Missing Authorization

Description The Soledad theme for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 8.4.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action...

Kernel: bluetooth: Unauthorized management command execution

A vulnerability was found in the HCI sockets implementation due to a missing capability check in net/bluetooth/hcisock.c in the Linux Kernel. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth...

CVE-2024-2428

The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping in one of the settings, this also allows them to...

CVE-2024-2428 The Ultimate Video Player For WordPress < 2.2.3 - Contributor+ Stored XSS

The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping in one of the settings, this also allows them to...

CVE-2024-2428 The Ultimate Video Player For WordPress < 2.2.3 - Contributor+ Stored XSS

The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping in one of the settings, this also allows them to...