Lucene search
K

22 matches found

Positive Technologies
Positive Technologies
added 2026/02/18 12:0 a.m.7 views

PT-2026-20287

The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail install yaysmtp' AJAX action and /yaymail/v1/addons/activate REST endpoint in all versions up to, and including, 4.3.2...

2.7CVSS5.5AI score0.00293EPSS
Exploits0References6
CNVD
CNVD
added 2025/11/11 12:0 a.m.2 views

Advantech WebAccess/VPN AjaxStandaloneVpnClientsController.ajaxAction function SQL injection vulnerability

Advantech WebAccess/VPN is a virtual private network feature integrated in Advantech WebAccess/SCADA software, designed to provide a secure and reliable network connectivity solution for industrial automation and remote monitoring systems. Advantech WebAccess/VPN suffers from a SQL injection...

6.5CVSS8.4AI score0.00284EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2019-6778

Malware in sbrugna...

8.8CVSS8.8AI score0.02071EPSS
Exploits2References4
EUVD
EUVD
added 2025/10/07 12:30 a.m.7 views

EUVD-2021-11899

Malware in sbrugna...

6.1CVSS6.2AI score0.01938EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2021-11839

Malware in sbrugna...

5.4CVSS5.4AI score0.006EPSS
Exploits2References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2022-15586

Malicious code in bioql PyPI...

6.4CVSS6.6AI score0.00632EPSS
Exploits2References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-51001

Malicious code in bioql PyPI...

4.3CVSS8.7AI score0.00329EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/05/23 1:50 a.m.7 views

CVE-2023-2526

The Easy Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.11.7. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to executes AJAX actions via a forg...

5.4CVSS6.6AI score0.00282EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 10:16 p.m.8 views

CVE-2022-0234

The WOOCS WordPress plugin before 1.3.7.5 does not sanitise and escape the woocsinordercurrency parameter of the woocsgetproductspricehtml AJAX action available to both unauthenticated and authenticated users before outputting it back in the response, leading to a Reflected Cross-Site Scripting...

6.1CVSS6.5AI score0.01798EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/05/22 9:4 p.m.28 views

CVE-2021-24163

The AJAX action, wpajaxninjaformssendwpremoteinstallhandler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form – The Drag and Drop Form...

8.8CVSS6.8AI score0.01439EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/05/22 9:4 p.m.25 views

CVE-2021-24356

In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, a lack of capability checks and insufficient nonce check on the AJAX action, simple301redirects/admin/activateplugin, made it possible for authenticated users to activate arbitrary plugins installed on vulnerable sites...

8.8CVSS6.6AI score0.02997EPSS
Exploits3References1
RedhatCVE
RedhatCVE
added 2025/05/22 7:23 p.m.6 views

CVE-2021-24730

The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswsssaveattachmentdata AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media...

4.3CVSS6.8AI score0.00339EPSS
Exploits2References1
NVD
NVD
added 2025/04/22 6:15 a.m.52 views

CVE-2025-2594

The User Registration & Membership WordPress plugin before 4.1.3 does not properly validate data in an AJAX action when the Membership Addon is enabled, allowing attackers to authenticate as any user, including administrators, by simply using the target account's user ID...

8.1CVSS0.0719EPSS
Exploits4References1
RedhatCVE
RedhatCVE
added 2025/02/14 4:29 a.m.23 views

CVE-2024-13769

The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the 'themeoptionsajaxpostaction' AJAX action in all versions up to, and including, 4.2.4. This makes it possible for...

6.4CVSS8AI score0.00291EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/02/05 5:14 a.m.16 views

CVE-2024-10958

The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . This is due to the software allowing users to execute an action that does not properly validate a value...

7.3CVSS7.6AI score0.01577EPSS
Exploits1References1
NVD
NVD
added 2024/12/12 7:15 a.m.16 views

CVE-2024-11724

The Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker for GDPR, CCPA & ePrivacy plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wplscriptsave AJAX action in all versions up to, and including, 3.6.5...

4.3CVSS0.00319EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2024/10/15 12:0 a.m.4 views

VulnCheck KEV: CVE-2020-36835

The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to sensitive information disclosure of a WordPress site's database due to missing capability checks on the wpajaxwpvividaddremote AJAX action that allows low-level authenticated attackers to send back-ups to a...

6.5CVSS5.8AI score0.00541EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2023/10/20 6:35 a.m.8 views

CVE-2023-4947 WooCommerce EAN Payment Gateway < 6.1.0 - Missing Authorization to Authenticated (Contributor+) EAN Update

The WooCommerce EAN Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refreshordereandata AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above,...

4.3CVSS6.5AI score0.00357EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2023/04/19 12:0 a.m.18 views

WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update

The plugin does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example PoC Run the...

6.5CVSS9AI score0.00337EPSS
Exploits2Affected Software1
Vulnrichment
Vulnrichment
added 2022/12/12 5:54 p.m.5 views

CVE-2022-3946 Welcart e-Commerce < 2.8.4 - Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion

The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods...

7.1AI score0.00329EPSS
Exploits2References1
Rows per page
Query Builder