506 matches found
PT-2024-15674
Name of the Vulnerable Software and Affected Versions The Simple Job Board plugin for WordPress versions up to, and including, 2.10.8 Description The issue allows unauthorized access to data due to insufficient authorization checking on the fetch quick job function. This makes it possible for...
CVE-2024-0421
The MapPress Maps for WordPress plugin before 2.88.16 is affected by an IDOR as it does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts...
Code injection
The MapPress Maps for WordPress plugin before 2.88.16 does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts...
CVE-2024-0421 MapPress Maps for WordPress < 2.88.16 - Unauthenticated Arbitrary Private/Draft Post Disclosure
The MapPress Maps for WordPress plugin before 2.88.16 is affected by an IDOR as it does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts...
WordPress Plugin MapPress Maps Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability previously existed...
PT-2024-15544 · WordPress · Mappress Maps
Name of the Vulnerable Software and Affected Versions: MapPress Maps for WordPress versions prior to 2.88.16 Description: The issue affects the MapPress Maps for WordPress plugin, allowing unauthenticated users to read arbitrary private and draft posts due to an Insecure Direct Object Reference...
PT-2024-15006 · WordPress · The Events Calendar
Name of the Vulnerable Software and Affected Versions: The Events Calendar plugin for WordPress versions up to, and including, 6.2.8.2 Description: The issue allows unauthenticated attackers to extract potentially sensitive data, including post titles and IDs of pending, private, and draft posts,...
CVE-2023-7199
The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request...
CVE-2023-7199
The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request...
WordPress plugin Relevanssi security vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. The WordPress plugin Relevanssi version...
CVE-2023-5922
The Royal Elementor Addons and Templates WordPress plugin before 1.3.81 does not ensure that users accessing posts via an AJAX action and REST endpoint, currently disabled in the plugin have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protect...
CVE-2023-5922 Royal Elementor Addons and Templates < 1.3.81 - Unauthenticated Arbitrary Post Read
The Royal Elementor Addons and Templates WordPress plugin before 1.3.81 does not ensure that users accessing posts via an AJAX action and REST endpoint, currently disabled in the plugin have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protect...
The Events Calendar < 6.2.9 - Unauthenticated Sensitive Information Exposure
Description The plugin is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.8.2 via the route function hooked into wpajaxnoprivtribedropdown. This makes it possible for unauthenticated attackers to extract potentially sensitive data including post titles and I...
CVE-2023-6077
The Slider WordPress plugin before 3.5.12 does not ensure that posts to be accessed via an AJAX action are slides and can be viewed by the user making the request, allowing any authenticated users, such as subscriber to access the content arbitrary post such as private, draft and password protect...
CVE-2023-6077
The Slider WordPress plugin before 3.5.12 does not ensure that posts to be accessed via an AJAX action are slides and can be viewed by the user making the request, allowing any authenticated users, such as subscriber to access the content arbitrary post such as private, draft and password protect...
Yet Another Stars Rating < 3.4.4 - Missing Authorization via init
Description The Yet Another Stars Rating plugin for WordPress is vulnerable to unauthorized modification of data due to a missing check on the init function in versions up to, and including, 3.4.3. This makes it possible for unauthenticated attackers to vote on private or nonexistent posts...
Automattic: Timeline API returns private post when target of a push notification
The Timeline API was able to return private posts when the target of a push notification, even though the user did not have access to the post...
WordPress 4.6.x < 4.6.27 Multiple Vulnerabilities
According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - A potential disclosure of user email addresses. - An RCE POP Chains vulnerability. - A Cross-Site Scripting XSS vulnerability in the post link navigation block. - An issue...
WordPress 4.5.x < 4.5.30 Multiple Vulnerabilities
According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - A potential disclosure of user email addresses. - An RCE POP Chains vulnerability. - A Cross-Site Scripting XSS vulnerability in the post link navigation block. - An issue...
WordPress 5.0.x < 5.0.20 Multiple Vulnerabilities
According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - A potential disclosure of user email addresses. - An RCE POP Chains vulnerability. - A Cross-Site Scripting XSS vulnerability in the post link navigation block. - An issue...