WordPress Page/Post Content Shortcode plugin authorization issue vulnerability

WordPress is the WordPress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blogging sites on servers with PHP and MySQL. WordPress Page/Post Content Shortcode plugin in and prior versions is vulnerable to an authorization...

CVE-2021-24819

The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as...

CVE-2021-24780

The Single Post Exporter WordPress plugin through 1.1.1 does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and give access to the export feature to any role such as subscriber. Subscriber users would then be able...

CVE-2021-24845 Improved Include Page <= 1.2 - Contributor+ Arbitrary Posts/Pages Access

The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with posttype & poststatus which can be used to retrieve arbitrary content. This way, users with a role as low as Contributor can gain access to content they are not supposed to...

CVE-2021-24819 Page/Post Content Shortcode <= 1.0 - Contributor+ Arbitrary Posts/Pages Access

The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as...

The Plus Addons for Elementor Pro < 5.0.7 - Sensitive Data Disclosure

The plugin does not validate the qvquery parameter of the tpgetdlpostinfoajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts The following request allow an unauthenticated user to get the draft posts the nonce can be retriev...

WordPress 插件安全漏洞

WordPress is the WordPress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blogging sites on servers with PHP and MySQL. WordPress Page/Post Content Shortcode plugin in and prior versions is vulnerable to an authorization...

MOLIE <= 0.5 - Authenticated SQL Injection

The plugin does not validate and escape a post parameter before using in a SQL statement, leading to an SQL Injection https://example.com/wp-admin/post.php?post=validpostid+and+SLEEP%285%29&action=edit https://example.com/wp-admin/admin-post.php?action=edit&post=1+and+SLEEP%285%29...

Logo Carousel < 3.4.2 - Unauthorised Private Post Access

The plugin allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature PoC 1 Go to Logo Carousel - Shortcode Generator. 2 If there is no carousel, create one. 3 Copy URL of the "Duplicate" link under the...

WordPress plugin Popular Posts arbitrary file upload vulnerability

WordPress is a blogging platform developed using the PHP language, which supports setting up personal blogging sites on PHP and MySQL servers. WordPress plugin Popular Posts 5.3.2 and previous versions are vulnerable to arbitrary file uploads. An attacker could exploit the vulnerability to upload...

CVE-2021-42362

The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the /src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain...

CVE-2021-42362

The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the /src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain...

Input validation

The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the /src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain...

CVE-2021-42362

WordPress Popular Posts plugin

CVE-2021-42362 WordPress Popular Posts <= 5.3.2 Authenticated Arbitrary File Upload

The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the /src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain...

CVE-2021-24851

The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status ie private, using a shortcode. Password protected posts/pages are not affected by such issue...

CVE-2021-24851

The CVE-2021-24851 applies to the WordPress Insert Pages plugin prior to 3.7.0. Affected component: Insert Pages plugin (WordPress). Root cause: insufficient access control allowing users with a role as low as Contributor to access content and metadata from arbitrary posts/pages, regardless of au...

PT-2021-23594 · WordPress · Wordpress Popular Posts

Name of the Vulnerable Software and Affected Versions: WordPress Popular Posts versions up to and including 5.3.2 Description: The WordPress Popular Posts plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the /src/Image.php file. This makes it...

WordPress 代码问题漏洞

WordPress is a blogging platform developed using the PHP language, which supports setting up personal blogging sites on PHP and MySQL servers. WordPress plugin Popular Posts 5.3.2 and previous versions are vulnerable to arbitrary file uploads. An attacker could exploit the vulnerability to upload...

PT-2021-16333 · WordPress · Insert Pages

Name of the Vulnerable Software and Affected Versions: Insert Pages WordPress plugin versions prior to 3.7.0 Description: The issue allows users with a role as low as Contributor to access content and metadata from arbitrary posts or pages, regardless of their author and status, including private...