221 matches found
CVE-2021-36888 WordPress Image Hover Effects Ultimate plugin <= 9.6.1 - Unauthenticated Arbitrary Options Update leading to full website compromise
Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate versions = 9.6.1 WordPress plugin...
CVE-2021-36888 WordPress Image Hover Effects Ultimate plugin <= 9.6.1 - Unauthenticated Arbitrary Options Update leading to full website compromise
Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate versions = 9.6.1 WordPress plugin...
CVE-2021-36888
The CVE-2021-36888 entry affects the WordPress plugin Image Hover Effects Ultimate (versions
WordPress Image Hover Effects Ultimate plugin <= 9.6.1 - Unauthenticated Arbitrary Options Update leading to full website compromise
Unauthenticated Arbitrary Options Update leading to full website compromise discovered by mirphak aka John Castro Pagely in WordPress Image Hover Effects Ultimate plugin versions = 9.6.1. Solution Update the WordPress Image Hover Effects Ultimate plugin to the latest available version at least 9....
Sprawling Active Attack Aims to Take Over 1.6M WordPress Sites
An active attack against more than 1.6 million WordPress sites is underway, with researchers spotting tens of millions of attempts to exploit four different plugins and several Epsilon Framework themes. The goal, they said, is complete site takeover using administrative privileges. The scope of t...
1.6 Million WordPress Sites Under Cyberattack From Over 16,000 IP Addresses
As many as 1.6 million WordPress sites have been targeted by an active large-scale attack campaign originating from 16,000 IP addresses by exploiting weaknesses in four plugins and 15 Epsilon Framework themes. WordPress security company Wordfence, which disclosed details of the attacks, said...
PublishPress Capabilities < 2.3.1 - Unauthenticated Arbitrary Options Update to Blog Compromise
The plugin does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any...
JobSearch WP Job Board < 1.8.2 - Subscriber+ Arbitrary Blog Options Update
The jobsearchjobintegrationssettinsave AJAX action of the plugin, available to any authenticated user, does not have authorisation and CSRF in place, allowing any authenticated user, such as subscriber to call it and modify arbitrary blog options...
WordPress Automatic < 3.53.3 - Unauthenticated Arbitrary Options Update
The plugin was vulnerable to Unauthenticated Arbitrary Options Update...
Social Sharing Plugin - Kiwi 2.1.0 - Unauthenticated Arbitrary WordPress Options Update and Read
The plugin re-introduced an issue in v2.1.0, allowing unauthenticated attacker to update and read arbitrary WordPress options. This could allow them to create admin accounts by enabling registration and setting the user default role to administrator, or to modify the value of siteurl in order to...
WordPress Materialis theme <=1.0.172 - Authenticated Options Update vulnerability
Authenticated Options Update vulnerability found by NinTechNet in WordPress Materialis theme versions =1.0.172. Solution Update the WordPress Materialis theme to the latest available version at least 1.0.173...
WordPress DELUCKS SEO plugin <= 2.1.7 - Unauthenticated Options Update vulnerability
Unauthenticated Options Update vulnerability found in WordPress DELUCKS SEO plugin versions = 2.1.7. Solution This plugin has been closed as of September 22, 2019 and is not available for download. This closure is temporary, pending a full review...
DELUCKS SEO <= 2.1.7 - Unauthenticated Options Update
This vulnerability was seen actively exploited in the wild on and around September 22nd 2019...
WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions
WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions Exploit Title: Wordpress Hybrid Composer = 1.4.6 - Unauthenticated Configuration Access Admin Takeover Date: 2019-07-24 Vendor Homepage: http://wordpress.framework-y.com Software Link:...
WordPress Plugin Hybrid Composer 1.4.6 - Improper Access Restrictions
Exploit Title: Wordpress Hybrid Composer = 1.4.6 - Unauthenticated Configuration Access Admin Takeover Date: 2019-07-24 Vendor Homepage: http://wordpress.framework-y.com Software Link: http://wordpress.framework-y.com/hybrid-composer/ Reference:...
One Click SSL <= 1.4.6 - Multiple Issues
Lack of CSRF and authorisation checks in the settings page, as well as AJAX methods such as ajaxenablessl, ajaxscan and so on could allow unauthorised settings change as well as call of the AJAX methods by a low privileged user. Additionally, it could also allow arbitrary site options update due ...
Hybrid Composer <= 1.4.6 - Unauthenticated Options Update
This plugin has a function to update Wordpress options via Ajax and it's set with the following: addaction'wpajaxnoprivhcajaxsaveoption', 'hcajaxsaveoption'; Which means it does not require authentication and is exploitable by anyone on the internet. I've already spoken to the plugin author about...
Hybrid Composer <= 1.4.6 - Unauthenticated Options Update
This plugin has a function to update Wordpress options via Ajax and it's set with the following: addaction'wpajaxnoprivhcajaxsaveoption', 'hcajaxsaveoption'; Which means it does not require authentication and is exploitable by anyone on the internet. I've already spoken to the plugin author about...
Breadcrumbs by menu <= 1.0.1 - Multiple Issues
XSS, CSRF leading to options update...
WordPress YellowPencil Visual CSS Style Editor plugin <= 7.2.0 - Unauthenticated arbitrary Options update vulnerability
Unauthenticated arbitrary Options update vulnerability found in WordPress YellowPencil Visual CSS Style Editor plugin versions = 7.2.0. Solution 12 April 2019 - this plugin was closed and is no longer available for download...