257 matches found
WordPress plugin Banner Cycler 跨站请求伪造漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forger...
CVE-2022-2555
The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack...
CVE-2022-2172
The LinkWorth WordPress plugin before 3.3.4 does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack...
CVE-2022-36968
In Progress WSFTP Server prior to version 8.7.3, forms within the administrative interface did not include a nonce to mitigate the risk of cross-site request forgery CSRF attacks...
Progress WS_FTP Server 跨站请求伪造漏洞
Progress WSFTP Server is an effective and highly manageable FTP server from Progress. A security vulnerability exists in Progress WSFTP Server versions prior to 8.7.3, which stems from a form in its administration interface that does not contain a nonce to reduce the risk of cross-site request...
CVE-2022-2224
The WordPress plugin Gallery for Social Photo is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.0.0.27 due to failure to properly check for the existence of a nonce in the function gifeedduplicatefeed. This make it possible for unauthenticated attackers to duplicate...
CVE-2022-2224
The WordPress plugin Gallery for Social Photo is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.0.0.27 due to failure to properly check for the existence of a nonce in the function gifeedduplicatefeed. This make it possible for unauthenticated attackers to duplicate...
CVE-2022-2039
The Free Live Chat Support plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.0.11. This is due to missing nonce protection on the livesupportisettings function found in the /livesupporti.php file. This makes it possible for unauthenticated attacke...
CVE-2022-1630
The WP-EMail WordPress plugin before 2.69.0 does not protect its log deletion functionality with nonce checks, allowing attacker to make a logged in admin delete logs via a CSRF attack...
CVE-2022-1611
The Bulk Page Creator WordPress plugin before 1.1.4 does not protect its page creation functionalities with nonce checks, which makes them vulnerable to CSRF...
CVE-2021-24761
The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server...
CVE-2021-24685
The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload triggered either in the frontend or backend...
CVE-2021-24163
The AJAX action, wpajaxninjaformssendwpremoteinstallhandler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form...
CVE-2018-20231
Cross Site Request Forgery CSRF in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfaenabletfa parameter due to missing nonce validation...
CVE-2018-11580
An issue was discovered in mass-pages-posts-creator.php in the MULTIDOTS Mass Pages/Posts Creator plugin 1.2.2 for WordPress. Any logged in user can launch Mass Pages/Posts creation with custom content. There is no nonce or user capability check, so anyone can launch a DoS attack against a site a...
UBUNTU-CVE-2017-9064
In WordPress before 4.7.5, a Cross Site Request Forgery CSRF vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials...
PT-2014-2777 · Simplegeo · Python-Oauth2
Name of the Vulnerable Software and Affected Versions: SimpleGeo python-oauth2 affected versions not specified Description: The issue is related to the Server.verify request function in SimpleGeo python-oauth2, which does not check the nonce. This omission allows remote attackers to perform repla...