80 matches found
CVE-2024-9193 WHMpress <= 6.3-revision-0 - Unauthenticated Local File Inclusion to Arbitrary Options Update
The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpressdomainsearchajaxextendedresults function. This makes it possible for unauthenticated attackers to include and execute...
CVE-2025-27098
GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. Missing check vulnerability in the static file handler allows any...
CVE-2025-27098 Unwanted access to the entire file system vulnerability due to a missing check in `staticFiles` HTTP handler in graphql-mesh
GraphQL Mesh is a GraphQL Federation framework and gateway for both GraphQL Federation and non-GraphQL Federation subgraphs, non-GraphQL services, such as REST and gRPC, and also databases such as MongoDB, MySQL, and PostgreSQL. Missing check vulnerability in the static file handler allows any...
CVE-2025-27098
GraphQL Mesh exposes a path traversal vulnerability in its staticFiles handler. When serve.staticFiles is configured, the code path does not reliably constrain absolutePath to the staticFiles directory, allowing access to files outside the intended directory. Affects GraphQL Mesh and related CLI/...
CVE-2024-12296
The Apus Framework plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'importpageoptions' function in all versions up to, and including, 2.4. This makes it possible for authenticated attackers, wit...
CVE-2024-11725
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the updateWcWarrantySettings function in all versions up to, and including, 3.7.6. This makes it...
CVE-2024-10591
The MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hubwoosaveupdates function in all version...
WordPress Youzify plugin <= 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update vulnerability
Missing Authorization to Authenticated Subscriber+ Limited Options Update vulnerability discovered by Stiofan in WordPress Plugin Youzify versions = 1.3.4...
CVE-2024-13370 Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.3.3 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update (save_addon_key_license)
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the saveaddonkeylicense function in all versions up to, and including, 1.3.3. This makes it possible fo...
WordPress Leopard plugin <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update vulnerability
Missing Authorization to Authenticated Subscriber+ Arbitrary Options Update vulnerability discovered by Tonn in WordPress Plugin Leopard - WordPress offload media versions = 3.1.1...
WordPress plugin Booking & Appointment Plugin for WooCommerce 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...
WordPress plugin Facebook Chat 访问控制错误漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. An access control...
CVE-2024-6660
The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bookingpressimportdatacontinueprocessfunc function in all...
Ultimate Noindex Nofollow Tool II < 1.3.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Go to "Settings Ultimate Noindex" 2...
Design/Logic Flaw
The SpeedyCache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the speedycachesavevarniship, speedycacheimgupdatesettings, speedycachepreloadingaddsettings, and speedycachepreloadingdeleteresource functions in all versions up to, and...
KLA62391 Multiple vulnerabilities in Microsoft Office
Multiple vulnerabilities were found in Microsoft Office. Malicious users can exploit these vulnerabilities to obtain sensitive information, spoof user interface. Below is a complete list of vulnerabilities: 1. An information disclosure vulnerability in Microsoft Outlook can be exploited remotely ...
Deeper Comments <= 2.1.1 - Subscriber+ Arbitrary Options Update
Description The plugin does not have authorisation in its updateoptions AJAX action, allowing any authenticated users, such as subscribers to update arbitrary blog options like defaultrole etc...
CVE-2021-4334
The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpdupdateoptions function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissio...
CVE-2015-10120 WDS Multisite Aggregate Plugin WDS_Multisite_Aggregate_Options.php update_options cross site scripting
A vulnerability, which was classified as problematic, was found in WDS Multisite Aggregate Plugin up to 1.0.0 on WordPress. Affected is the function updateoptions of the file includes/WDSMultisiteAggregateOptions.php. The manipulation leads to cross site scripting. It is possible to launch the...
PT-2023-10298 · WordPress · Wds Multisite Aggregate Plugin
Name of the Vulnerable Software and Affected Versions: WDS Multisite Aggregate Plugin versions up to 1.0.0 Description: A problematic issue was found in the WDS Multisite Aggregate Plugin, affecting the update options function of the file includes/WDS Multisite Aggregate Options.php. This issue...