118 matches found
CVE-2021-25011
The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings...
CVE-2021-25081
The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack...
CVE-2021-24704
In the Orange Form WordPress plugin through 1.0, the processbulkaction function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter $id. Only admin can access the page that invokes the function, but because of lack of CSRF protection, it is actually...
WordPress 跨站请求伪造漏洞
WordPress is the WordPress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. cross-site request forgery vulnerability exists in versions prior to 2.1.2 of the Ultimate FAQ plugin for...
WordPress 插件访问控制错误漏洞
WordPress is a set of Wordpress Foundation's blogging platform developed using the PHP language. The platform supports setting up personal blogging sites on PHP and MySQL servers. WordPress Plugin is a WordPress open source application plugin. an access control error vulnerability exists in the...
Cross-Site Request Forgery (CSRF) in flatcore/flatcore-cms
Description 1 Missing CSRF token in delete posts and delete folder in the frontend 2 Missing backend CSRF validation in 1 removing and enabling fix status and 2 deleting posts, and 3 delete folder and 4 delexclude in the indexing page see Permalinks 3 Delete cache Proof of Concept Open in...
CVE-2021-24318
The Listeo WordPress theme before 1.6.11 did not ensure that the Post/Page and Booking to delete belong to the user making the request, allowing any authenticated users to delete arbitrary page/post and booking via an IDOR vector...
WordPress Redirection for Contact Form 7 Plugin Improper Access Control Vulnerability
WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. An improper access control vulnerability exists in WordPress Redirection for Contact Form 7 Plugin...
CVE-2020-9514
An issue was discovered in the IMPress for IDX Broker plugin before 2.6.2 for WordPress. wrappers.php allows a logged-in user with the Subscriber role to permanently delete arbitrary posts and pages, create new posts with arbitrary subjects, and modify the subjects of existing posts and pages via...
Code injection
An issue was discovered in the IMPress for IDX Broker plugin before 2.6.2 for WordPress. wrappers.php allows a logged-in user with the Subscriber role to permanently delete arbitrary posts and pages, create new posts with arbitrary subjects, and modify the subjects of existing posts and pages via...
CVE-2015-5483
Multiple cross-site request forgery CSRF vulnerabilities in the Private Only plugin 3.5.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that 1 add users, 2 delete posts, or 3 modify PHP files via unspecified vectors, or 4 conduct cross-site...
CVE-2015-5483
Multiple cross-site request forgery CSRF vulnerabilities in the Private Only plugin 3.5.1 for WordPress allow remote attackers to hijack the authentication of administrators for requests that 1 add users, 2 delete posts, or 3 modify PHP files via unspecified vectors, or 4 conduct cross-site...
CVE-2019-12253
my little forum before 2.4.20 allows CSRF to delete posts, as demonstrated by mode=posting&deleteposting...
CVE-2019-12253
CVE-2019-12253 affects the project’s “my little forum” prior to version 2.4.20. The vulnerability is a CSRF flaw that allows deleting posts via a crafted request (e.g., mode=posting&delete_posting). The issue is confirmed across multiple feeds (NVD/NVD-derived entries, Red Hat advisory, OSV, CVE ...
idreamsoft iCMS Cross-Site Request Forgery Vulnerability (CNVD-2019-12121)
iCMS is an efficient and simple content management system built with PHP and MySQL. A cross-site request forgery vulnerability exists in idreamsoft iCMS 7.0.14 and earlier versions, which can be exploited by an attacker to delete a user's posts via public/api.php?app=user URI...
Twitter-Clone 1 - Cross-Site Request Forgery (Delete Post)
Twitter-Clone 1 - Cross-Site Request Forgery Delete Post Exploit Title: Twitter-Clone 1 - Cross-Site Request Forgery Delete Post Date: 2018-08-21 Exploit Author: L0RD Vendor Homepage: https://github.com/Fyffe/PHP-Twitter-Clone/ Version: 1 CVE: N/A Tested on: Win 10 Description : An issue was...
Design/Logic Flaw
The "menu sync" function in the WPML plugin before 3.1.9 for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php...
DEBIAN-CVE-2010-5106
The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role...