Product Catalog Enquiry for WooCommerce < 5.0.3 - Unauthenticated Stored XSS via Arbitrary Setting Update

Description The plugin does not properly authorize settings updates or escape settings values, leading to stored XSS by unauthenticated users. 1 Make sure the plugin is configured with the "Catalog Mode" activated. 2 Launch the following from your browser's console:...

WordPress Login Block IPs plugin <= 1.0.0 - Arbitrary Setting Update via Cross-Site Request Forgery (CSRF) vulnerability

Arbitrary Setting Update via Cross-Site Request Forgery CSRF vulnerability discovered by Daniel Ruf in WordPress Login Block IPs plugin versions = 1.0.0. Solution Deactivate and delete. This plugin has been closed as of September 5, 2022 and is not available for download. This closure is temporar...

CVE-2022-2172 LinkWorth Plugin < 3.3.4 - Arbitrary Setting Update via CSRF

The LinkWorth WordPress plugin before 3.3.4 does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack...

LinkWorth Plugin < 3.3.4 - Arbitrary Setting Update via CSRF

The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack. PoC...

LinkWorth Plugin < 3.3.4 - Arbitrary Setting Update via CSRF

The plugin does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack. document.getElementById"test".submit;...

WordPress Smash Balloon Social Post Feed plugin <= 4.0 - Stored Cross-Site Scripting (XSS) via Arbitrary Setting Update vulnerability

Stored Cross-Site Scripting XSS via Arbitrary Setting Update vulnerability discovered by Marc Montpas JetPack Security Team in WordPress Smash Balloon Social Post Feed plugin versions = 4.0. Solution Update the WordPress Smash Balloon Social Post Feed plugin to the latest available version at lea...

Shantz WordPress QOTD <= 1.2.2 - Arbitrary Setting Update via CSRF

The plugin is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values...