CVE-2023-5311

CVE-2023-5311 concerns the WP EXtra WordPress plugin. A missing capability check in the register() function in versions up to 6.2 allows authenticated users with subscriber-level permissions or higher to modify .htaccess in site root, /wp-content, or /wp-includes and can lead to remote code execu...

CVE-2023-5311 WP EXtra <= 6.2 - Missing Authorization to .htaccess File Modification

The WP EXtra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the...

Design/Logic Flaw

The Soisy Pagamento Rateale plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the parseRemoteRequest function in versions up to, and including, 6.0.1. This makes it possible for unauthenticated attackers with knowledge of an existing WooCommerc...

CVE-2023-5132

CVE-2023-5132 affects the Soisy Pagamento Rateale WordPress plugin (≤ 6.0.1). The vulnerability arises from a missing capability check in parseRemoteRequest, allowing unauthenticated attackers who know an existing WooCommerce Order ID to access sensitive order data (e.g., name, address, email, an...

CVE-2022-4943

The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings...

CVE-2022-4943

The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings...

CVE-2021-4334

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpdupdateoptions function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissio...

Authorization

The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings...

Authorization

The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobebulkoperationsswap function. This makes it possible for authenticated attackers subscriber or higher to manipulate products...

Privilege escalation

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpdupdateoptions function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissio...

Authorization

The Brizy plugin for WordPress is vulnerable to authorization bypass due to a incorrect capability check on the isadministrator function in versions up to, and including, 1.0.125. This makes it possible for authenticated attackers to access and interact with available AJAX functions...

CVE-2021-4334

CVE-2021-4334 affects the Fancy Product Designer WordPress plugin. A missing capability check in fpd_update_options (

CVE-2023-4941 BEAR <= 1.1.3.3 - Missing Authorization to Product Manipulation

The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobebulkoperationsswap function. This makes it possible for authenticated attackers subscriber or higher to manipulate products...

CVE-2020-36714

The Brizy plugin for WordPress is vulnerable to authorization bypass due to a incorrect capability check on the isadministrator function in versions up to, and including, 1.0.125. This makes it possible for authenticated attackers to access and interact with available AJAX functions...

CVE-2020-36714

CVE-2020-36714 affects the Brizy WordPress plugin. The issue is an incorrect capability check in is_administrator(), causing an authorization bypass that lets authenticated attackers access and interact with available AJAX functions. Affected versions are up to and including 1.0.125. The vulnerab...

CVE-2022-4943

The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5. This makes it possible for unauthenticated attackers to change the plugin's settings...

CVE-2023-4947

The WooCommerce EAN Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refreshordereandata AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above,...

CVE-2021-4335

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with...

Authorization

The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobebulkoperationsvisibility function. This makes it possible for authenticated attackers subscriber or higher to manipulate products...

Design/Logic Flaw

The WooCommerce EAN Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refreshordereandata AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above,...