Lucene search
K

38 matches found

NVD
NVD
added 2025/06/11 10:15 a.m.11 views

CVE-2025-4315

The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.23. This is due to the plugin allowing a user to update arbitrary user meta through the updateusermeta function. This makes it possible for...

8.8CVSS0.00447EPSS
Exploits0References3
CVE
CVE
added 2025/06/11 9:22 a.m.63 views

CVE-2025-4315

Summary: CVE-2025-4315 affects the CubeWP – All-in-One Dynamic Content Framework plugin for WordPress. The vulnerability is an authenticated privilege-escalation flaw exploitable by users with Subscriber+ privileges to elevate to Administrator via improper handling of update_user_meta(), affectin...

8.8CVSS8.6AI score0.00447EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2025/06/11 12:0 a.m.11 views

PT-2025-25201 · WordPress · Cubewp

Name of the Vulnerable Software and Affected Versions: The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress version 1.1.23 and earlier Description: The issue is related to Privilege Escalation, allowing authenticated attackers with Subscriber-level access and above to elevate...

8.8CVSS8.5AI score0.00447EPSS
Exploits0References13
Positive Technologies
Positive Technologies
added 2025/05/07 12:0 a.m.9 views

PT-2025-19929 · WordPress · Woocommerce Multiple Addresses

Name of the Vulnerable Software and Affected Versions: WooCommerce Multiple Addresses plugin for WordPress versions up to, and including, 1.0.7.1 Description: The issue is due to insufficient restrictions on user meta that can be updated through the save multiple shipping addresses function. This...

8.8CVSS8.8AI score0.00316EPSS
Exploits0References9
Cvelist
Cvelist
added 2025/04/12 6:37 a.m.38 views

CVE-2025-3418 WPC Admin Columns 2.0.6 - 2.1.0 - Authenticated (Subscriber+) Privilege Escalation via User Meta Update

The WPC Admin Columns plugin for WordPress is vulnerable to privilege escalation in versions 2.0.6 to 2.1.0. This is due to the plugin not properly restricting user meta values that can be updated through the ajaxeditsave function. This makes it possible for authenticated attackers, with...

8.8CVSS0.00359EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/04/12 3:21 a.m.6 views

CVE-2025-2871 WordPress Mega Menu – QuadMenu <= 3.2.0 - Cross-Site Request Forgery to Limited User Meta Update

The WordPress Mega Menu – QuadMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the ajaxdismissnotice function. This makes it possible for unauthenticated attackers to update a...

4.3CVSS4.7AI score0.00179EPSS
Exploits0References3
NVD
NVD
added 2025/03/15 3:15 a.m.25 views

CVE-2025-1653

The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.0. This is due to the stmlistingprofileedit AJAX action not having enough restriction on the user meta that can be updated. This makes it possibl...

8.8CVSS0.00486EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/02/11 6:54 a.m.3 views

CVE-2025-0180 WP Foodbakery <= 4.7 - Unauthenticated Privilege Escalation in foodbakery_registration_validation

The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register on...

9.8CVSS9.8AI score0.00503EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/02/05 4:37 a.m.7 views

CVE-2024-9192

The WordPress Video Robot - The Ultimate Video Importer plugin for WordPress is vulnerable to privilege escalation due to insufficient validation on user meta that can be updated in the wpvrraterequestresult function in all versions up to, and including, 1.20.0. This makes it possible for...

8.8CVSS6.8AI score0.00566EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/02/04 10:32 p.m.11 views

CVE-2024-8253

The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not properly restricting what user meta values can be updated and ensuring a form is active. This makes it possible for authenticated attackers...

8.8CVSS6.8AI score0.0957EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/01/15 9:25 a.m.33 views

CVE-2024-9636 Post Grid and Gutenberg Blocks 2.2.85 - 2.3.3 - Unauthenticated Privilege Escalation

The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in versions 2.2.85 to 2.3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register...

9.8CVSS0.00773EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2024/12/12 5:24 a.m.6 views

CVE-2024-12172 WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses <= 3.2.21 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Meta Update

The WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpcupdateusermetaoption function in all versions up to, and including, 3.2.21. This makes it...

7.5CVSS6.5AI score0.00747EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2024/12/12 12:0 a.m.5 views

PT-2024-17469 · WordPress · Wp Courses Lms

Name of the Vulnerable Software and Affected Versions: WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress versions up to, and including, 3.2.21 Description: The issue is related to unauthorized access due to a missing capability...

7.5CVSS7.1AI score0.00747EPSS
Exploits0References7
CVE
CVE
added 2024/11/16 3:20 a.m.55 views

CVE-2024-9192

CVE-2024-9192 affects WordPress Video Robot - The Ultimate Video Importer plugin for WordPress (versions up to 1.20.0). The issue stems from insufficient validation of user meta that can be updated in wpvr_rate_request_result(), enabling authenticated attackers with subscriber-level access or hig...

8.8CVSS8.7AI score0.00566EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2024/11/16 3:20 a.m.13 views

CVE-2024-9192 WP Video Robot <= 1.20.0 - Authenticated (Subscriber+) Privilege Escalation via User Meta Update

The WordPress Video Robot - The Ultimate Video Importer plugin for WordPress is vulnerable to privilege escalation due to insufficient validation on user meta that can be updated in the wpvrraterequestresult function in all versions up to, and including, 1.20.0. This makes it possible for...

8.8CVSS6.9AI score0.00566EPSS
Exploits0References2
Patchstack
Patchstack
added 2024/11/15 9:17 p.m.3 views

WordPress WP Video Robot plugin <= 1.20.0 - Authenticated (Subscriber+) Privilege Escalation via User Meta Update vulnerability

Authenticated Subscriber+ Privilege Escalation via User Meta Update vulnerability discovered by Tonn in WordPress Plugin WordPress Video Robot - The Ultimate Video Importer versions = 1.20.0...

8.8CVSS7.1AI score0.00566EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2024/08/01 4:15 a.m.13 views

CVE-2024-6698

The FundEngine plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying user meta updated through the updateusermeta function. This makes it possible for authenticated attackers, with subscriber-level...

8.8CVSS5.7AI score0.00431EPSS
Exploits0References2
OSV
OSV
added 2023/11/22 4:15 p.m.6 views

CVE-2023-2438

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'userprosaveuserdata' function. This makes it possible for unauthenticated attackers to update the user meta and inject...

6.1CVSS5.7AI score0.00165EPSS
Exploits0References2
Rows per page
Query Builder