FunnelKit Checkout < 3.11.0 - Subscriber+ Arbitrary Plugin Activation

Description The FunnelKit Checkout plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on an unknown function in all versions up to, and including, 3.10.3. This makes it possible for authenticated attackers, with subscriber access and above, t...

WC Marketplace < 4.0.24 - Missing Authorization via mvx_save_dashpages

Description The WC Marketplace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvxsavedashpages' function in versions up to, and including, 4.0.23. This makes it possible for unauthenticated attackers to update the plugin's setting...

WooCommerce PDF Invoices < 4.3.1 - Subscriber+ Arbitrary Order Export

Description The plugin is vulnerable to unauthorized access of data due to a missing capability check on theprintpackinglist action. This makes it possible for authenticated attackers, with subscriber-level access and above, to export orders which can contain sensitive information...

Easy Social Feed < 6.5.3 - Subscriber+ Settings Update

Description The plugin is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions, such as modifying the plugin's...

Product Catalog Enquiry for WooCommerce < 5.0.3 - Unauthenticated Inquiry Saving & Sensitive Information Disclosure

Description The plugin is vulnerable to unauthorized access and modification of data due to an improper capability check on the catalogrestroutesreactmodule REST endpoints, allowing unauthenticated attackers to view data from admin tabs and save enquiries...

MC4WP < 4.9.10 - Unauthenticated Unpublished Form Preview

Description The plugin is vulnerable to unauthorized access of data due to a missing capability check on the 'listen' function, allowing unauthenticated attackers to preview unpublished forms...

VulnCheck KEV: CVE-2023-6600

The OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the updatesettings function hooked via admininit in all versions up to, and including,...

SpeedyCache < 1.1.4 - Missing Authorization to Plugin Options Update

Description The SpeedyCache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the speedycachesavevarniship, speedycacheimgupdatesettings, speedycachepreloadingaddsettings, and speedycachepreloadingdeleteresource functions in all versions ...

WP VR < 8.3.15 - Unauthenticated Plugin Downgrade leading to XSS

Description The plugin does not authorisation and CSRF in a function hooked to admininit, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities. v3.8.15 partially fixed the issue as the wrong capability chec...

WP Project Manager < 2.6.8 - Missing Authorization

Description The WP Project Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on an unknown function in versions up to, and including, 2.6.7. This makes it possible for unauthenticated attackers to perform an unauthorized action...

Square Thumbnails <= 1.1.0 - Missing Authorization

Description The Square Thumbnails plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on an unknown function in versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to perform an unauthorized action...

WP Simple HTML Sitemap < 2.8 - Missing Authorization

Description The plugin is vulnerable to unauthorized access due to a missing capability check on an unknown function, allowing unauthenticated attackers to perform an unauthorized action...

Login With Ajax < 4.2 - Missing Authorization

Description The Login With Ajax plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on an unknown function in versions up to, and including, 4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an...

Awesome Support < 6.1.8 - Missing Authorization

Description The plugin is vulnerable to unauthorized access due to a missing capability check on an unknown function, allowing unauthenticated attackers to perform an unauthorized action...

Elementor Timeline Widget <= 2.0 - Missing Authorization to Notice Dismissal

Description The Elementor Timeline Widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in versions up to, and including, 2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss notices...

Awesome Support < 6.1.11 - Missing Authorization

Description The plugin is vulnerable to unauthorized access due to a missing capability check on an unknown function, allowing authenticated attackers, with subscriber-level access and above, to perform an unauthorized action...

WP Cleanfix < 5.7.0 - Subscriber+ Post/Comment/Post Meta Content Replacement

Description The plugin is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the register function, allowing authenticated attackers, with subscriber-level access and above, to find and replace post, comment, and postmeta content as well as...

System Dashboard < 2.8.8 - Missing Authorization to Information Disclosure (sd_php_info)

Description The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sdphpinfo function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with...

JetEngine < 3.2.5 - Missing Authorization

Description The JetEngine plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action...

JetElements For Elementor < 2.6.13.1 - Missing Authorization to Unauthenticated Arbitrary Attachment Download

Description The JetElements plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on an unknown function in all versions up to, and including, 2.6.13. This makes it possible for unauthenticated attackers to download arbitrary attachments...