PT-2024-29678 · WordPress · Bulk Posts Editing For Wordpress

Name of the Vulnerable Software and Affected Versions: Bulk Posts Editing For WordPress plugin for WordPress versions up to, and including, 4.2.3 Description: The issue is related to a missing capability check on the plugin's AJAX actions. This allows authenticated attackers with subscriber acces...

CVE-2024-3070

The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input from the LastViewedPosts Cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known...

CVE-2024-34427

Cross-Site Request Forgery CSRF vulnerability in Huseyin Berberoglu WP Favorite Posts.This issue affects WP Favorite Posts: from n/a through 1.6.8...

WordPress Bulk Posts Editing For WordPress plugin <= 4.2.3 - Authenticated (Subscriber+) Missing Authorization vulnerability

Authenticated Subscriber+ Missing Authorization vulnerability discovered by Benedictus Jovan aillesiM in WordPress Plugin Bulk Posts Editing For WordPress versions = 4.2.3...

netty-codec-http: Allocation of Resources Without Limits or Throttling

A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until ...

WordPress theme Porto 安全漏洞

WordPress is a suite of blogging platforms developed using the PHP language by the WordPress Foundation. The platform supports personal blog sites on PHP and MySQL servers.WordPress theme is a theme for WordPress. A security vulnerability exists in WordPress theme Porto version 7.1.0 and earlier...

WordPress Bulk Posts Editing For WordPress Plugin <= 4.2.3 is vulnerable to Broken Access Control

Software Bulk Posts Editing For WordPress Type Plugin Vulnerable versions = 4.2.3 Fixed in 4.2.4 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-4199 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 035d66af9f0b Credits Benedictus...

BuddyBoss Platform < 2.6.0 - Insecure Direct Object Reference on Like Comment

Description The plugin contains an IDOR vulnerability that allows a user to like a private post by manipulating the ID included in the request PoC POST /wp-admin/admin-ajax.php HTTP/2 Host: buddyboss.example.com Cookie: REDACTED User-Agent: Mozilla/5.0 Macintosh; Intel Mac OS X 10.15; rv:120.0...

Karma 安全漏洞

Karma is a simple tool. Allows execution of JavaScript code in multiple real browsers. A security vulnerability exists in Karma versions prior to 0.17.4.1, which stems from the fact that sending multiple post requests at the same time will bypass the cooldown validation...

CVE-2024-3070 Last Viewed Posts by WPBeginner <= 1.0.0 - Unauthenticated PHP Object Injection

The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input from the LastViewedPosts Cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known...

CVE-2024-3915

CVE-2024-3915 affects the Swift Framework WordPress plugin (versions up to and including 2.7.31). The root cause is a missing capability check in sf_edit_directory_item(), enabling unauthenticated attackers to modify arbitrary posts/content. Impact per available data is limited to integrity (LOW)...

CVE-2024-34427

CVE-2024-34427 describes a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin WP Favorite Posts, affecting versions from n/a through 1.6.8. The description notes CSRF risk but does not specify affected themes, exact attack vector, or exploit details beyond the vulnerability t...

CVE-2024-34427 WordPress WP Favorite Posts plugin <= 1.6.8 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in Huseyin Berberoglu WP Favorite Posts.This issue affects WP Favorite Posts: from n/a through 1.6.8...

PT-2024-25880 · WordPress · Wp Favorite Posts

Name of the Vulnerable Software and Affected Versions: WP Favorite Posts versions 1.6.8 and earlier Description: A Cross-Site Request Forgery CSRF issue has been identified. This type of issue allows an attacker to trick a user into performing unintended actions on a web application that the user...

CVE-2024-4135

CVE-2024-4135 affects the WP Latest Posts WordPress plugin, vulnerable in all versions up to 5.0.7. Unauthenticated attackers can trigger arbitrary shortcodes due to unvalidated user input used by do_shortcode. CVSS v3.1 base score 5.4 (Medium). A patched version exists; remediation is to update ...

WordPress WP Latest Posts plugin <= 5.0.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution vulnerability

Authenticated Subscriber+ Arbitrary Shortcode Execution vulnerability discovered by stealthcopter in WordPress Plugin WP Latest Posts versions = 5.0.7...

Post Grid Master < 3.4.8 - Missing Authorization

Description The Post Grid Master plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ampostgridloadpostsajaxfunctions function in versions up to, and including, 3.4.7. This makes it possible for unauthenticated attackers to load posts...

WordPress WP Favorite Posts plugin <= 1.6.8 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Huynh Tien Si Patchstack Alliance in WordPress Plugin WP Favorite Posts versions = 1.6.8...

WordPress Last Viewed Posts by WPBeginner plugin <= 1.0.0 - Unauthenticated PHP Object Injection vulnerability

Unauthenticated PHP Object Injection vulnerability discovered by Francesco Carlucci in WordPress Plugin Last Viewed Posts by WPBeginner versions = 1.0.0...

CVE-2024-4034

The Virtue theme for WordPress is vulnerable to Stored Cross-Site Scripting via a Post Author's name in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping when the latest posts feature is enabled on the homepage. This makes it possible for...