CVE-2024-2962

CVE-2024-2962 affects the Networker - Tech News WordPress Theme with Dark Mode. The vulnerability arises from a missing capability check in the admin_reload_nav_menu() function, affecting all versions up to and including 1.1.9. This allows unauthenticated attackers to modify the location of displ...

Multiple Page Generator Plugin – MPG < 3.4.1 - Missing Authorization via mpg_get_log_by_project_id

Description The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mpggetlogbyprojectid' function in versions up to, and including, 3.4.0. This makes it possible for authenticated attackers, with...

WholesaleX < 1.3.2 - Authenticated(Subscriber+) Missing Authorization via multiple AJAX actions

Description The WholesaleX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcinstallcallback AJAX function in versions up to, and including, 1.3.1. This makes it possible for authenticated attackers, with subscriber-level access and...

CVE-2024-1745

The Testimonial Slider WordPress plugin before 2.3.7 does not properly ensure that a user has the necessary capabilities to edit certain sensitive Testimonial Slider WordPress plugin before 2.3.7 settings, making it possible for users with at least the Author role to edit them...

Networker - Tech News WordPress Theme with Dark Mode < 1.1.10 - Missing Authorization

Description The Networker - Tech News WordPress Theme with Dark Mode theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the adminreloadnavmenu function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated...

Check & Log Email < 1.0.10 - Unauthenticated Hook Injection

Description The plugin is vulnerable to Unauthenticated Hook Injection via the checknonce function. This makes it possible for unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. The action the attacker wishes to execute needs to have a nonce check, a...

WooCommerce Clover Payment Gateway < 1.3.2 - Missing Authorization via callback_handler

Description The WooCommerce Clover Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callbackhandler function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to mark...

CVE-2024-1502

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tutordeleteannouncement function in all versions up to, and including, 2.6.1. This makes it possible for authenticated attackers, with...

CVE-2024-1844

The RevivePress – Keep your Old Content Evergreen plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the importdata and copydata functions in all versions up to, and including, 1.5.6. This makes it possible for authenticated...

CVE-2024-1119

The Order Tip for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exporttipstocsv function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to export the plugin's order fees...

CVE-2024-1119 Order Tip for WooCommerce <= 1.3.1 - Missing Authorization to Unauthenticated Data Export

The Order Tip for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exporttipstocsv function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to export the plugin's order fees...

CVE-2024-2538

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajaxsavepermalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above,...

CVE-2024-2538 Permalink Manager <= 2.4.3.1 - Missing Authorization to Authenticated(Author+) Arbitrary Post Slug Modification

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajaxsavepermalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above,...

CVE-2024-1995

The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relationalpostssearch function in all versions up to, and including, 4.2.2. This makes it possible for authenticated attackers, with subscrber-level access and above,...

PT-2024-18355 · WordPress · Revivepress

Name of the Vulnerable Software and Affected Versions: RevivePress – Keep your Old Content Evergreen plugin for WordPress versions up to, and including, 1.5.6 Description: The issue allows unauthorized access and modification of data due to a missing capability check on the import data and copy...

PT-2024-20908 · WordPress · Permalink Manager Lite

Name of the Vulnerable Software and Affected Versions: Permalink Manager Lite plugin for WordPress versions up to, and including, 2.4.3.1 Description: The issue arises from a missing capability check on the ajax save permalink function, allowing authenticated attackers with author access or above...

RevivePress < 1.5.6.1 - Subscriber+ Settings Update/Access

Description The plugin is vulnerable to unauthorized access and modification of data due to a missing capability check on the importdata and copydata functions. This makes it possible for authenticated attackers, with subscriber-level access or higher, to overwrite plugin settings and view them...

Advanced Classifieds & Directory Pro < 3.1.2 - Missing Authorization to Arbitrary Attachment Deletion

Description The Advanced Classifieds & Directory Pro plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajaxcallbackdeleteattachment function in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with...

CVE-2024-1733

The Word Replacer Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wordreplacerultra function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update arbitrary content on the...

CVE-2024-1733

The Word Replacer Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wordreplacerultra function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update arbitrary content on the...