WordPress Quote Comments plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Plugin Settings Update vulnerability discovered by Legion Hunter in WordPress Plugin Quote Comments versions = 3.0.0...

EUVD-2024-48790

Malicious code in bioql PyPI...

CVE-2021-25032

The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a...

CVE-2025-3953 WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin <= 14.13.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update

The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated...

CVE-2024-7950

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation in all versions up to, and including, 2.1.6 via several functions called by the 'checkFormRequest' function...

CVE-2024-7950

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation in all versions up to, and including, 2.1.6 via several functions called by the 'checkFormRequest' function...

CVE-2024-7950

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation in all versions up to, and including, 2.1.6 via several functions called by the 'checkFormRequest' function...

CVE-2024-7950 WP Job Portal <= 2.1.6 - Missing Authorization to Unauthenticated Local File Inclusion, Arbitrary Settings Update, and User Creation

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation in all versions up to, and including, 2.1.6 via several functions called by the 'checkFormRequest' function...

CVE-2024-7950

The WP Job Portal plugin for WordPress (versions up to and including 2.1.6) is vulnerable to unauthenticated Local File Inclusion, Arbitrary Settings Update, and User Creation via functions invoked by checkFormRequest. Attackers can include and execute arbitrary PHP files on the server, potential...

CVE-2024-7950 WP Job Portal <= 2.1.6 - Missing Authorization to Unauthenticated Local File Inclusion, Arbitrary Settings Update, and User Creation

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation in all versions up to, and including, 2.1.6 via several functions called by the 'checkFormRequest' function...

WordPress WP Job Portal plugin <= 2.1.6 - Unauthenticated Local File Inclusion, Arbitrary Settings Update, and User Creation vulnerability

Unauthenticated Local File Inclusion, Arbitrary Settings Update, and User Creation vulnerability discovered by Connor Billings in WordPress Plugin WP Job Portal versions = 2.1.6...

WordPress Simple Photoswipe plugin <= 0.1 - Subscriber+ Arbitrary Settings Update vulnerability

Subscriber+ Arbitrary Settings Update vulnerability discovered by Felipe Caon in WordPress Plugin Simple Photoswipe versions = 0.1...

CVE-2024-5570 Simple Photoswipe <= 0.1 - Subscriber+ Arbitrary Settings Update

The Simple Photoswipe WordPress plugin through 0.1 does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them...

CVE-2022-1760 Core Control <= 1.2.1 - Arbitrary Settings Update via CSRF

The Core Control WordPress plugin through 1.2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2023-6843 easy.jobs < 2.4.7 - Subscriber+ Arbitrary Settings Update

The easy.jobs- Best Recruitment Plugin for Job Board Listing, Manager, Career Page for Elementor & Gutenberg WordPress plugin before 2.4.7 does not properly secure some of its AJAX actions, allowing any logged-in users to modify its settings...

easy.jobs < 2.4.7 - Subscriber+ Arbitrary Settings Update

Description The plugin does not properly secure some of its AJAX actions, allowing any logged-in users to modify its settings. PoC fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "multipart/form-data; boundary=----WebKitFormBoundaryvEIqF0bdJXlPN58D", , "body":...

easy.jobs < 2.4.7 - Subscriber+ Arbitrary Settings Update

Description The plugin does not properly secure some of its AJAX actions, allowing any logged-in users to modify its settings. fetch"/wp-admin/admin-ajax.php", "headers": "content-type": "multipart/form-data; boundary=----WebKitFormBoundaryvEIqF0bdJXlPN58D", , "body":...

Rocket Font <= 1.2.3 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

BEAR for WordPress < 1.1.4 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

Ultimate Taxonomy Manager <= 2.0 - Arbitrary Settings Update via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...