VulnCheck KEV: CVE-2023-3124

The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the updatepageoption function in versions up to, and including, 3.11.6. This makes it possible for authenticated attackers with subscriber-level capabilities to update...

PT-2023-12471 · WordPress · Jobsearch Wp Job Board

Name of the Vulnerable Software and Affected Versions: JobSearch WP Job Board plugin for WordPress versions up to, and including, 1.8.1 Description: The issue is related to authorization bypass due to a missing capability check on the jobsearch job integrations settin save AJAX action. This allow...

PT-2023-12461 · WordPress · Jobsearch Wp Job Board

Name of the Vulnerable Software and Affected Versions: JobSearch WP Job Board plugin for WordPress versions up to, and including, 1.8.1 Description: The issue is related to authorization bypass due to a missing capability check on the save locsettings function. This allows unauthenticated attacke...

PT-2023-23260 · Elementor · Elementor Pro

Name of the Vulnerable Software and Affected Versions: Elementor Pro versions up to, and including, 3.11.6 Description: The issue allows authenticated attackers with subscriber-level capabilities to update arbitrary site options, potentially leading to privilege escalation, due to a missing...

PT-2023-12475 · WordPress · Jobsearch Wp Job Board

Name of the Vulnerable Software and Affected Versions: JobSearch WP Job Board plugin for WordPress versions up to, and including, 1.8.1 Description: The issue is related to a missing capability check on the jobsearch add job import schedule call function, allowing authenticated attackers to bypas...

PT-2023-12442 · WordPress · Ulisting

Name of the Vulnerable Software and Affected Versions: uListing plugin for WordPress versions up to, and including, 1.6.6 Description: The issue is related to authorization bypass due to a missing capability check in the "ulisting/includes/route.php" file. This affects the...

PT-2023-11378 · WordPress · Funnel Builder

Name of the Vulnerable Software and Affected Versions: Funnel Builder plugin for WordPress versions up to, and including, 1.3.0 Description: The issue is related to authorization bypass due to a missing capability check on the activate plugin function. This allows authenticated attackers to...

PT-2023-12482 · WordPress · Wp Quick Frontend Editor

Name of the Vulnerable Software and Affected Versions: WP Quick FrontEnd Editor plugin for WordPress versions up to and including 5.5 Description: The issue is due to the lack of a security nonce and a capabilities check, allowing low-authenticated attackers to change plugin settings without prop...

PT-2023-23266 · WordPress · B2Bking

Name of the Vulnerable Software and Affected Versions: B2BKing plugin for WordPress versions up to, and including, 4.6.00 Description: The issue allows authenticated attackers with subscriber or customer-level permissions to modify the pricing of any product on the site due to a missing capabilit...

CVE-2023-2299

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.2.10 due to a missing capability check on the processAction...

CVE-2023-2299

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.2.10 due to a missing capability check on the processAction...

CVE-2023-2415

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcitalogoutcallback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attacker...

CVE-2023-2415

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcitalogoutcallback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attacker...

Design/Logic Flaw

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.2.10 due to a missing capability check on the processAction...

Design/Logic Flaw

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcitalogoutcallback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attacker...

CVE-2023-2415 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 - Missing Authorization to Account Logout

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcitalogoutcallback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attacker...

CVE-2023-3053

The Page Builder by AZEXO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'azhaddpost' function in versions up to, and including, 1.27.133. This makes it possible for authenticated attackers to create a post with any post type and...

CVE-2023-3053 Page Builder by AZEXO <= 1.27.133 - Missing Authorization to Post Creation

The Page Builder by AZEXO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'azhaddpost' function in versions up to, and including, 1.27.133. This makes it possible for authenticated attackers to create a post with any post type and...

CVE-2023-3053 Page Builder by AZEXO <= 1.27.133 - Missing Authorization to Post Creation

The Page Builder by AZEXO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'azhaddpost' function in versions up to, and including, 1.27.133. This makes it possible for authenticated attackers to create a post with any post type and...

CVE-2023-2434

The Nested Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'reset' function in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with editor-level permissions and above, to reset plugin settings...