Lucene search
+L

506 matches found

OSV
OSV
added 2023/10/16 8:15 p.m.3 views

CVE-2023-3707

The ActivityPub WordPress plugin before 1.0.0 does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the content of arbitrary post such as draft and private via an IDOR vector. Password protected post...

4.3CVSS7.3AI score0.00468EPSS
Exploits2References1
NVD
NVD
added 2023/04/10 2:15 p.m.26 views

CVE-2023-1426

The WP Tiles WordPress plugin through 1.1.2 does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example. AN attacker could also retrieve the title of any other type of post...

6.5CVSS6.4AI score0.00795EPSS
Exploits2References1
OSV
OSV
added 2023/04/10 2:15 p.m.4 views

CVE-2023-1426

The WP Tiles WordPress plugin through 1.1.2 does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example. AN attacker could also retrieve the title of any other type of post...

6.5CVSS5.8AI score0.00795EPSS
Exploits2References1
Vulnrichment
Vulnrichment
added 2023/04/10 1:17 p.m.7 views

CVE-2023-1426 WP Tiles <= 1.1.2 - Subscriber+ Draft/Private Post Title Disclosure

The WP Tiles WordPress plugin through 1.1.2 does not ensure that posts to be displayed are not draft/private, allowing any authenticated users, such as subscriber to retrieve the titles of draft and privates posts for example. AN attacker could also retrieve the title of any other type of post...

6.4AI score0.00795EPSS
Exploits2References1
CVE
CVE
added 2023/04/10 1:17 p.m.74 views

CVE-2023-1426

CVE-2023-1426 affects the WordPress plugin WP Tiles up to version 1.1.2. The vulnerability arises because the plugin’s display logic does not ensure that posts shown are not drafts or private, allowing any authenticated user (e.g., subscribers) to retrieve the titles of draft/private posts and po...

6.5CVSS6.3AI score0.00795EPSS
Exploits2References1Affected Software1
Positive Technologies
Positive Technologies
added 2023/03/20 12:0 a.m.12 views

PT-2023-16593 · WordPress · Shortcodes Ultimate

Name of the Vulnerable Software and Affected Versions: Shortcodes Ultimate WordPress plugin versions prior to 5.12.8 Description: The issue allows any authenticated users, such as subscribers, to view draft, private, or even password-protected posts. It is also possible to leak the password of...

6.5CVSS6.7AI score0.00654EPSS
Exploits2References4
CNNVD
CNNVD
added 2023/03/20 12:0 a.m.8 views

WordPress Plugin Shortcodes Ultimate 信息泄露漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. An information disclosure vulnerability...

6.5CVSS7AI score0.00654EPSS
Exploits2References2
Positive Technologies
Positive Technologies
added 2023/03/13 12:0 a.m.6 views

PT-2023-16518 · Optinmonster · The Popup Builder By Optinmonster

Name of the Vulnerable Software and Affected Versions: The Popup Builder by OptinMonster WordPress plugin versions prior to 2.12.2 Description: The issue allows any authenticated users, such as subscribers, to retrieve the content of arbitrary posts, including drafts, private, or password-protect...

6.5CVSS8.7AI score0.00778EPSS
Exploits2References5
OpenVAS
OpenVAS
added 2023/03/08 12:0 a.m.31 views

Debian: Security Advisory (DLA-321-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

6.1CVSS5.4AI score0.06389EPSS
Exploits2References2
Veracode
Veracode
added 2023/02/24 8:15 a.m.16 views

Improper Authorization

pixelfed/pixelfed is vulnerable to Improper Authorization. The vulnerability exists due to a lack of permission checks in the store function of BookmarkController.php, which allows a remote attacker bypass the authorization mechanism to view private posts...

5.3CVSS5.3AI score0.00546EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2023/02/19 3:30 a.m.18 views

GHSA-QH6W-PQ52-QXXQ Pixelfed may allow unauthorized actor to view private posts

Improper Authorization in GitHub repository pixelfed/pixelfed 0.11.4 and prior...

5.3CVSS4.8AI score0.00546EPSS
Exploits1References4
OSV
OSV
added 2023/02/13 3:15 p.m.2 views

CVE-2022-3891

The WP FullCalendar WordPress plugin before 1.5 does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected...

5.3CVSS5.9AI score
Exploits0References1
OSV
OSV
added 2023/01/23 3:15 p.m.6 views

CVE-2021-24881

The Passster WordPress plugin before 3.5.5.9 does not properly check for password, as well as that the post to be viewed is public, allowing unauthenticated users to bypass the protection offered by the plugin, and access arbitrary posts such as private content, by sending a specifically crafted...

7.5CVSS5.8AI score0.00818EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2023/01/23 12:0 a.m.9 views

PT-2023-12070 · WordPress · Passster

Name of the Vulnerable Software and Affected Versions: Passster WordPress plugin versions prior to 3.5.5.9 Description: The issue allows unauthenticated users to bypass the protection offered by the plugin and access arbitrary posts, such as private content, by sending a specifically crafted...

7.5CVSS7.5AI score0.00818EPSS
Exploits2References5
WPVulnDB
WPVulnDB
added 2023/01/17 12:0 a.m.23 views

WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access

The plugin does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected ones. PoC Open the below URL as an...

5.3CVSS2AI score0.00694EPSS
Exploits2Affected Software1
Huntr
Huntr
added 2022/12/29 6:43 p.m.14 views

privilege escalation : Low access user can view Admin PRIVATE POST by using PIN functionality

Description Due to the privilege escalation issue Low access user can view Admin PRIVATE POST by abusing PIN functionality. PIN functionality is used to pin any post in TOP , by using the Low user Attacker can View the other & high privilege user PRIVATE POST , as per the flow its not PINNING any...

6.5CVSS7.1AI score0.00701EPSS
Exploits1
NVD
NVD
added 2022/08/15 11:21 a.m.28 views

CVE-2022-2535

The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink...

5.3CVSS0.01464EPSS
Exploits2References1
OSV
OSV
added 2022/08/15 11:21 a.m.5 views

CVE-2022-2535

The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink...

5.3CVSS5.8AI score0.01464EPSS
Exploits2References1
Prion
Prion
added 2022/08/15 11:21 a.m.21 views

Code injection

The SearchWP Live Ajax Search WordPress plugin before 1.6.2 does not ensure that users making a live search are limited to published posts only, allowing unauthenticated users to make a crafted query disclosing private/draft/pending post titles along with their permalink...

5CVSS5.2AI score0.01464EPSS
Exploits2References1Affected Software1
CVE
CVE
added 2022/08/15 8:38 a.m.95 views

CVE-2022-2535

The vulnerability CVE-2022-2535 affects WordPress plugin SearchWP Live Ajax Search (versions before 1.6.2). The root cause is that live search queries do not restrict results to published posts, allowing unauthenticated users to disclose private/draft/pending post titles and their permalinks thro...

5.3CVSS5.2AI score0.01464EPSS
Exploits2References1Affected Software1
Rows per page
Query Builder