166 matches found
Cross site request forgery (csrf)
The Royal Elementor Addons WordPress plugin before 1.3.56 does not have authorization and CSRF checks when deleting a template and does not ensure that the post to be deleted is a template. This could allow any authenticated users, such as subscribers, to delete arbitrary posts assuming they know...
CVE-2022-4239 Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR
The Workreap WordPress theme before 2.6.4 does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreapaddonsserviceremove action, allowing any user to delete any post by knowing or guessing the id...
Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR
The theme does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreapaddonsserviceremove action, allowing any user to delete any post by knowing or guessing the id. PoC POST /testt/wp-admin/admin-ajax.php HTTP/...
Workreap < 2.6.4 - Subscriber+ Arbitrary Posts Deletion via IDOR
The theme does not verify that an addon service belongs to the user issuing the request, or indeed that it is an addon service, when processing the workreapaddonsserviceremove action, allowing any user to delete any post by knowing or guessing the id. POST /testt/wp-admin/admin-ajax.php HTTP/2...
Online Discussion Forum Site 安全漏洞
Sourcecodester Online Discussion Forum Site is an application of Sourcecodester. An online discussion forum. A security vulnerability exists in Online Discussion Forum Site. An attacker can exploit this vulnerability to delete arbitrary posts via the deletepost function...
WordPress plugin myCred 安全漏洞
WordPress is a set of blogging platform developed using the PHP language. myCred 2.4.4, a WordPress plugin, previously had an authorization issue vulnerability, which stems from the plugin's failure to perform any authorization and CSRF checks in the myCred tool's import and export AJAX operation...
CVE-2021-24978
The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wpajaxnopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete ...
Cross site request forgery (csrf)
The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wpajaxnopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete ...
Wordpress Orange Form Plugin Cross-Site Request Forgery Vulnerability
WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blogging sites on PHP and MySQL servers. cross-site request forgery vulnerability exists in Wordpress Orange Form Plugin 1.0.1 and prior versions,...
CVE-2021-24688
The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the ordeletefiled one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing...
Cross site request forgery (csrf)
The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings...
Cross site request forgery (csrf)
The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the ordeletefiled one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing...
CVE-2021-25011 WP Google Map < 1.8.1 - Subscriber+ Arbitrary Post Deletion and Plugin's Settings Update
The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings...
WordPress Qubely plugin cross-site request forgery vulnerability
WordPress is the WordPress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site request forgery vulnerability exists in versions prior to 1.7.8 of the Qubely plugin for WordPress, which...
WordPress Ultimate FAQ plugin cross-site request forgery vulnerability
WordPress is the WordPress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. cross-site request forgery vulnerability exists in versions prior to 2.1.2 of the Ultimate FAQ plugin for...
CVE-2021-25013
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubelydeletesavedblock AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts...
CVE-2021-24989
The Accept Donations with PayPal WordPress plugin before 1.3.4 does not have CSRF check in place and does not ensure that the post to be deleted belongs to the plugin, allowing attackers to make a logged in admin delete arbitrary posts from the blog...
Cross site request forgery (csrf)
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubelydeletesavedblock AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts...
WordPress 跨站请求伪造漏洞
WordPress is the WordPress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site request forgery vulnerability exists in versions prior to 1.7.8 of the Qubely plugin for WordPress, which...
Document Embedder < 1.7.5 - Unauthenticated Arbitrary Private/Draft Post Title Disclosure
The plugin contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts. PoC https://example.com/wp-json/doc/v1/single/509 509 being the ID of a private/draft Post...