Lucene search
K

266 matches found

CVE
CVE
added 2022/11/07 12:0 a.m.59 views

CVE-2022-3537

The CVE concerns the WordPress plugin Role Based Pricing for WooCommerce, affected versions prior to 1.6.2. The root cause is inadequate authorization and CSRF protection, plus unvalidated file uploads, allowing any authenticated user (e.g., a subscriber) to upload arbitrary files such as PHP. Pu...

8.8CVSS8.9AI score0.00498EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2022/10/20 12:0 a.m.11 views

Simple SEO < 1.8.13 - Subscriber+ Sitemap Creation/Deletion

The plugin does not have authorisation check when creating and deleting sitemaps, which could allow any authenticated users, such as subscriber to create and delete them...

5.4CVSS3.6AI score0.00211EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2022/10/17 12:0 a.m.13 views

Role Based Pricing for WooCommerce < 1.6.2 - Subscriber+ Arbitrary File Upload

The plugin does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP PoC As a subscriber, open the HTML code below while being logged in as a subscriber, then choose a fil...

8.8CVSS0.2AI score0.00498EPSS
Exploits2Affected Software1
Cvelist
Cvelist
added 2022/10/17 12:0 a.m.25 views

CVE-2022-3082 miniOrange Discord Integration < 2.1.6 - Subscriber+ App Disabling

The miniOrange Discord Integration WordPress plugin before 2.1.6 does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example...

6.7AI score0.00411EPSS
Exploits2References1
Cvelist
Cvelist
added 2022/10/17 12:0 a.m.26 views

CVE-2022-3244 Import all XML, CSV & TXT into WordPress < 6.5.8 - Missing Authorisation

The Import all XML, CSV & TXT WordPress plugin before 6.5.8 does not have authorisation in some places, which could allow any authenticated users to access some of the plugin features if they manage to get the related nonce...

4.7AI score0.00386EPSS
Exploits1References1
UbuntuCve
UbuntuCve
added 2022/10/03 2:15 p.m.17 views

CVE-2022-2839

The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them t...

5.4CVSS6.1AI score0.00381EPSS
Exploits2References2
WPVulnDB
WPVulnDB
added 2022/09/29 12:0 a.m.42 views

Media Library Assistant < 3.01 - Unauthenticated Error Log Access

The plugin does not have authorisation in place, which could allow unauthenticated attackers to access its error log if they can guess or brute force the filename...

5.3CVSS6.1AI score0.00531EPSS
Exploits0Affected Software1
NVD
NVD
added 2022/09/26 1:15 p.m.21 views

CVE-2022-3024

The Simple Bitcoin Faucets WordPress plugin through 1.7.0 does not have any authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscribers to call it and add/delete/edit Bonds. Furthermore, due to the lack of sanitisation and escaping, it could also lead to Stored...

5.4CVSS0.00233EPSS
Exploits2References1
CVE
CVE
added 2022/09/26 12:35 p.m.87 views

CVE-2022-2352

CVE-2022-2352 affects the WordPress Post SMTP Mailer/Email Log plugin prior to 2.1.7. The issue is lack of proper authorization in certain AJAX actions, enabling high-privilege users (e.g., admins) to perform blind SSRF on multisite installations. Remediation is to update to version 2.1.7 or late...

7.2CVSS6.8AI score0.01039EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2022/09/26 12:0 a.m.18 views

miniOrange Discord Integration < 2.1.6 - Subscriber+ App Disabling

The plugin does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example PoC Run the below command in the developer console of the web browser while being on the blog as any user, such as subscriber...

6.5CVSS3.4AI score0.00411EPSS
Exploits2Affected Software1
Prion
Prion
added 2022/09/05 1:15 p.m.19 views

Cross site request forgery (csrf)

The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors reporter by the submitter or update arbitrary order status...

4CVSS4.8AI score0.00275EPSS
Exploits2References1Affected Software1
Prion
Prion
added 2022/09/05 1:15 p.m.16 views

Design/Logic Flaw

The Visual Portfolio, Photo Gallery & Post Grid WordPress plugin before 2.18.0 does not have proper authorisation checks in some of its REST endpoints, allowing unauthenticated users to call them and inject arbitrary CSS in arbitrary saved layouts...

5.8CVSS6.3AI score0.00496EPSS
Exploits2References1Affected Software1
CVE
CVE
added 2022/09/05 12:35 p.m.65 views

CVE-2022-2657

CVE-2022-2657 affects the Multivendor Marketplace Solution for WooCommerce WordPress plugin, prior to version 3.8.12. The issue is lack of authorization checks and CSRF protection in multiple AJAX actions, enabling not only unauthenticated CSRF abuse but also action calls by authenticated users (...

4.3CVSS4.8AI score0.00275EPSS
Exploits2References1Affected Software1
NVD
NVD
added 2022/08/29 6:15 p.m.35 views

CVE-2022-2373

The Simply Schedule Appointments WordPress plugin before 1.5.7.7 is missing authorisation in a REST endpoint, allowing unauthenticated users to retrieve WordPress users details such as name and email address...

5.3CVSS0.01424EPSS
Exploits2References1
WPVulnDB
WPVulnDB
added 2022/08/25 12:0 a.m.16 views

Event Calendar < 1.4.7 - Unauthenticated Arbitrary Event Deletion

The plugin does not have authorisation check when deleting events, which could allow unauthenticated attackers to delete them...

6.5CVSS5.3AI score0.00534EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2022/08/25 12:0 a.m.26 views

About Me <= 1.0.12 - Subscriber+ Arbitrary Network Creation/Deletion

The plugin does not have authorisation and CRSF when adding and deleting networks via AJAX actions, which could allow any authenticated users, such as subscriber to create and delete arbitrary networks...

9.8CVSS4.4AI score0.00779EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2022/08/25 12:0 a.m.18 views

Accommodation System <= 1.0.1 - Subscriber+ Unauthorised Actions

The plugin does not have authorisation in various actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions...

9.8CVSS4.8AI score0.00736EPSS
Exploits0Affected Software1
WPVulnDB
WPVulnDB
added 2022/08/24 12:0 a.m.20 views

59sec LITE <= 3.4.1 - Unauthenticated Settings Update

Description The plugin does not have any authorisation in place when updating its settings, allowing unauthenticated attackers to do so...

6.5CVSS5.5AI score0.00547EPSS
Exploits0
Cvelist
Cvelist
added 2022/08/22 3:2 p.m.23 views

CVE-2022-2377 Directorist < 7.3.0 - Subscriber+ Arbitrary E-mail Sending

The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog...

5AI score0.00308EPSS
Exploits2References1
CVE
CVE
added 2022/08/15 8:37 a.m.2188 views

CVE-2022-2379

CVE-2022-2379 affects the WordPress Easy Student Results plugin (versions ≤ 2.2.8). The REST API lacks proper authorization, allowing unauthenticated users to retrieve sensitive data: courses, exams, departments, student grades, and PII (email, physical address, phone). The CVSSv3.1 base score is...

7.5CVSS7.3AI score0.02801EPSS
Exploits2References1Affected Software1
Rows per page
Query Builder