Lucene search
+L

1352 matches found

osv
osv
added 2023/06/09 6:15 a.m.5 views

CVE-2023-1169

The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to missing authorization due to a missing capability check on the 'fileuploadercallback' function in versions up to, and including, 2.1.4. This makes it possible for subscriber-level attackers to upload image attachments to the...

4.3CVSS7.3AI score0.00573EPSS
Exploits0References3
nvd
nvd
added 2023/06/09 6:15 a.m.21 views

CVE-2023-1169

The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to missing authorization due to a missing capability check on the 'fileuploadercallback' function in versions up to, and including, 2.1.4. This makes it possible for subscriber-level attackers to upload image attachments to the...

4.3CVSS4.4AI score0.00573EPSS
Exploits0References3
nvd
nvd
added 2023/06/09 6:15 a.m.29 views

CVE-2023-0691

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mflastname' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary...

4.3CVSS4.3AI score0.00603EPSS
Exploits0References3
prion
prion
added 2023/06/09 6:15 a.m.23 views

Information disclosure

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mfthankyou' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about form...

4CVSS6AI score0.00735EPSS
Exploits0References3Affected Software1
prion
prion
added 2023/06/09 6:15 a.m.26 views

Authorization

The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and including, 7.5.4. This is due to improper validation and authorization checks within the listingtask function. This makes it possible for authenticated attackers, with subscriber-level...

4CVSS6.8AI score0.00609EPSS
Exploits2References2Affected Software1
prion
prion
added 2023/06/09 6:15 a.m.34 views

Design/Logic Flaw

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the getremotetemplates function in versions up to, and including, 1.8.3. This makes it possible for authenticated attackers with subscriber-level...

4CVSS4.3AI score0.00515EPSS
Exploits2References2Affected Software1
prion
prion
added 2023/06/09 6:15 a.m.26 views

Design/Logic Flaw

The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized cache deletion in versions up to, and including, 1.1.2 due to a missing capability check in the deleteCacheToolbar function . This makes it possible for authenticated attackers, with subscriber-level permissions and above, to...

4CVSS4.4AI score0.00534EPSS
Exploits0References3Affected Software1
prion
prion
added 2023/06/09 6:15 a.m.35 views

Server side request forgery (ssrf)

The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Server Side Request Forgery via the getremotecontent REST API endpoint in versions up to, and including, 1.8.3. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary...

5.5CVSS8.9AI score0.00606EPSS
Exploits2References2Affected Software1
prion
prion
added 2023/06/09 6:15 a.m.18 views

Authorization

The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to missing authorization due to a missing capability check on the 'fileuploadercallback' function in versions up to, and including, 2.1.4. This makes it possible for subscriber-level attackers to upload image attachments to the...

4CVSS4.5AI score0.00573EPSS
Exploits0References3Affected Software1
vulnrichment
vulnrichment
added 2023/06/09 5:33 a.m.34 views

CVE-2023-1169 OoohBoi Steroids for Elementor <= 2.1.4 - Missing Authorization leading to Authenticated (Subscriber+) Image Upload

The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to missing authorization due to a missing capability check on the 'fileuploadercallback' function in versions up to, and including, 2.1.4. This makes it possible for subscriber-level attackers to upload image attachments to the...

4.3CVSS6.6AI score0.00573EPSS
Exploits0References3
cve
cve
added 2023/06/09 5:33 a.m.60 views

CVE-2023-2189

CVE-2023-2189 affects Elementor Addons, Widgets and Enhancements – Stax for WordPress. Cause: missing capability check in toggle_widget (versions up to 1.4.3). Impact: authenticated users with subscriber-level permissions+ can enable/disable Elementor widgets. Patch status: Unpatched per Wordfenc...

4.3CVSS5.2AI score0.00595EPSS
Exploits1References3Affected Software1
vulnrichment
vulnrichment
added 2023/06/09 5:33 a.m.20 views

CVE-2023-2764

The Draw Attention plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxsetfeaturedimage function in versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with subscriber-level permissions and...

4.3CVSS6.5AI score0.00508EPSS
Exploits0References3
cvelist
cvelist
added 2023/06/09 5:33 a.m.45 views

CVE-2023-2084 Essential Blocks <= 4.0.6 - Missing Authorization via get

The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the get function in versions up to, and including, 4.0.6. This makes it possible for subscriber-level attackers to obtain plugin settings. While a nonce check is...

4.3CVSS4.6AI score0.00513EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2023/06/09 12:0 a.m.4 views

PT-2023-20153 · WordPress · Wpcs – Wordpress Currency Switcher Professional

Name of the Vulnerable Software and Affected Versions: WPCS – WordPress Currency Switcher Professional plugin versions up to, and including, 1.1.9 Description: The issue allows authenticated attackers with subscriber-level permissions and above to modify data without authorization due to a missin...

4.3CVSS5.2AI score0.00434EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2023/06/09 12:0 a.m.7 views

PT-2023-20157 · WordPress · Wpcs – Wordpress Currency Switcher Professional

Name of the Vulnerable Software and Affected Versions: WPCS – WordPress Currency Switcher Professional plugin versions up to, and including, 1.1.9 Description: The issue allows authenticated attackers with subscriber-level permissions and above to delete an arbitrary custom drop-down currency...

4.3CVSS5.5AI score0.00434EPSS
Exploits0References5
wpvulndb
wpvulndb
added 2023/06/08 12:0 a.m.24 views

WP-Members Membership < 3.4.8 - Subscriber+ Unauthorized Plugin Settings Update

The plugin does not correctly implement capability checks on the dofieldreorder function, allowing authenticated users with only subscriber-level access to reorder form elements on login forms...

4.3CVSS6.7AI score0.00503EPSS
Exploits0References1Affected Software1
vulnrichment
vulnrichment
added 2023/06/07 12:43 p.m.12 views

CVE-2021-4379 WooCommerce Multi Currency <= 2.1.17 - Missing Authorization

The WooCommerce Multi Currency plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wmcbulkfixedprice function in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers, with subscriber-level permissions and above, ...

6.5CVSS6.6AI score0.00802EPSS
Exploits3References3
nvd
nvd
added 2023/06/07 2:15 a.m.28 views

CVE-2022-4948

The FlyingPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 3.9.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to interact with the plugin in...

4.3CVSS4.3AI score0.00535EPSS
Exploits1References2
nvd
nvd
added 2023/06/07 2:15 a.m.35 views

CVE-2023-3124

The Elementor Pro plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the updatepageoption function in versions up to, and including, 3.11.6. This makes it possible for authenticated attackers with subscriber-level capabilities to update...

8.8CVSS8.4AI score0.2272EPSS
Exploits2References2
osv
osv
added 2023/06/07 2:15 a.m.6 views

CVE-2020-36704

The Fruitful Theme for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters stored via the fruitfulthemeoptionsaction AJAX action in versions up to, and including, 3.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

5.4CVSS5.9AI score0.005EPSS
Exploits1References2
Rows per page
Query Builder