82 matches found
Cross site request forgery (csrf)
The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the ladiflowsavehook function in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to update the 'ladiflowhookconfigs' option via a forged request...
Cross site request forgery (csrf)
The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the publishlp function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to change the LadiPage key a key fully controll...
Cross site request forgery (csrf)
The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the saveconfig function in versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to update the 'ladipageconfig' option via a forged request granted they...
Cross site scripting
The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the publishlp function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and abov...
CVE-2023-4629 LadiApp <= 4.4 - Cross-Site Request Forgery via save_config()
The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the saveconfig function in versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to update the 'ladipageconfig' option via a forged request granted they...
CVE-2023-4629 LadiApp <= 4.4 - Cross-Site Request Forgery via save_config()
The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the saveconfig function in versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to update the 'ladipageconfig' option via a forged request granted they...
CVE-2023-4629
CVE-2023-4629 affects the LadiApp WordPress plugin (up to v4.3) and is due to a missing nonce check in save_config(), enabling CSRF. This allows unauthenticated attackers to update the ladipage_config option by tricking an administrator into performing an action (e.g., clicking a forged link). Im...
CVE-2023-4627 LadiApp <= 4.4 - Missing Authorization via save_config()
The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveconfig function in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to update the...
CVE-2023-4729 LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… <= 4.4 - Cross-Site Request Forgery via publish_lp()
The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the publishlp function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to change the LadiPage key a key fully controll...
CVE-2023-4729
CVE-2023-4729 relates to the LadiApp WordPress plugin. A CSRF vulnerability exists due to a missing nonce check on the publish_lp() AJAX action in versions up to 4.4. This can allow an unauthenticated attacker to change the LadiPage key and freely create pages, including pages that trigger stored...
CVE-2023-4627
CVE-2023-4627 (LadiApp WordPress plugin) is tied to a missing capability check in save_config() on versions up to 4.4, allowing authenticated attackers with subscriber-level access and above to modify the ladipage_config option. Red Hat’s advisory confirms the vulnerability and lists the affected...
CVE-2023-4729 LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… <= 4.4 - Cross-Site Request Forgery via publish_lp()
The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the publishlp function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to change the LadiPage key a key fully controll...
CVE-2023-4627 LadiApp <= 4.4 - Missing Authorization via save_config()
The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveconfig function in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and above to update the...
CVE-2023-4626
The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ladiflowsavehook function in versions up to, and including, 4.3. This makes it possible for authenticated attackers with subscriber-level access and above to update the...
CVE-2023-4728
CVE-2023-4728 concerns the LadiApp WordPress plugin. The issue is a missing capability check in publish_lp(), exposed via an AJAX action, allowing authenticated users with subscriber-level access or higher to modify the LadiPage key and create pages. This can enable stored XSS by pages created th...
CVE-2023-4626
The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ladiflowsavehook function in versions up to, and including, 4.3. This makes it possible for authenticated attackers with subscriber-level access and above to update the...
CVE-2023-4728 LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… <= 4.4 - Missing Authorization on publish_lp()
The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the publishlp function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and abov...
CVE-2023-4728 LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… <= 4.4 - Missing Authorization on publish_lp()
The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the publishlp function hooked via an AJAX action in versions up to, and including, 4.4. This makes it possible for authenticated attackers with subscriber-level access and abov...
CVE-2023-4626
The CVE-2023-4626 entry affects the LadiApp WordPress plugin, where a missing capability check in ladiflow_save_hook() enables data modification by authenticated users with subscriber-level access or higher. The vulnerability is noted in versions up to and including 4.3, allowing updates to the l...
CVE-2023-4628 LadiApp <= 4.4 - Cross-Site Request Forgery via ladiflow_save_hook()
The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the ladiflowsavehook function in versions up to, and including, 4.4. This makes it possible for unauthenticated attackers to update the 'ladiflowhookconfigs' option via a forged request...