WordPress Canto plugin <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Setting Modification vulnerability discovered by Legion Hunter in WordPress Plugin Canto versions = 3.1.1...

CVE-2018-4073

An exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSetTask.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The the binary the endpoint /cgi-bin/EmbededAceTLSetTask.cgi is a very similar endpoint that is designed for use with setting table values th...

Product Catalog Enquiry for WooCommerce < 5.0.3 - Unauthenticated Stored XSS via Arbitrary Setting Update

Description The plugin does not properly authorize settings updates or escape settings values, leading to stored XSS by unauthenticated users. 1 Make sure the plugin is configured with the "Catalog Mode" activated. 2 Launch the following from your browser's console:...

WordPress Login Block IPs plugin <= 1.0.0 - Arbitrary Setting Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Setting Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress Login Block IPs plugin versions = 1.0.0. Solution Deactivate and delete. This plugin has been closed as of September 5, 2022 and is not available for download. This closure is temporar...

CVE-2022-2172 LinkWorth Plugin < 3.3.4 - Arbitrary Setting Update via CSRF

The LinkWorth WordPress plugin before 3.3.4 does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack...

LinkWorth Plugin < 3.3.4 - Arbitrary Setting Update via CSRF

The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack. PoC...

LinkWorth Plugin < 3.3.4 - Arbitrary Setting Update via CSRF

The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack. document.getElementById"test".submit;...

WordPress Smash Balloon Social Post Feed plugin <= 4.0 - Stored Cross-Site Scripting (XSS) via Arbitrary Setting Update vulnerability

Stored Cross-Site Scripting XSS via Arbitrary Setting Update vulnerability discovered by Marc Montpas JetPack Security Team in WordPress Smash Balloon Social Post Feed plugin versions = 4.0. Solution Update the WordPress Smash Balloon Social Post Feed plugin to the latest available version at lea...

Shantz WordPress QOTD <= 1.2.2 - Arbitrary Setting Update via CSRF

The plugin is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values...

CVE-2018-4073

An exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSetTask.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The the binary the endpoint /cgi-bin/EmbededAceTLSetTask.cgi is a very similar endpoint that is designed for use with setting table values th...

CVE-2018-4073

An exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSetTask.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The the binary the endpoint /cgi-bin/EmbededAceTLSetTask.cgi is a very similar endpoint that is designed for use with setting table values th...

Design/Logic Flaw

An exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSetTask.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The the binary the endpoint /cgi-bin/EmbededAceTLSetTask.cgi is a very similar endpoint that is designed for use with setting table values th...

CVE-2018-4073

An exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSetTask.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The the binary the endpoint /cgi-bin/EmbededAceTLSetTask.cgi is a very similar endpoint that is designed for use with setting table values th...

Sierra Wireless AirLink ES450 ACEManager Embedded_Ace_Set_Task.cgi Permission Assignment Vulnerability

Summary An exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSetTask.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a arbitrary setting writes, resulting in the unverified changes to any system setting. An...

FreeBSD : WebCalendar -- information disclosure vulnerability (09c92f3a-fd49-11da-995c-605724cdf281)

Secunia reports : socsam has discovered a vulnerability in WebCalendar, which can be exploited by malicious people to bypass certain security restrictions and disclose sensitive information. Input passed to the 'includedir' parameter isn't properly verified, before it is used in an 'fopen' call...