Lucene search
K

266 matches found

RedhatCVE
RedhatCVE
added 2025/05/22 7:25 p.m.11 views

CVE-2021-25090

The Portfolio Gallery, Product Catalog WordPress plugin before 2.1.0 does not have authorisation and CSRF checks in various functions related to AJAX actions, allowing any authenticated users, such as subscriber, to call them. Due to the lack of sanitisation and escaping, it could also allows...

5.4CVSS6.1AI score0.00591EPSS
Exploits2References1
CVE
CVE
added 2025/04/29 3:45 p.m.49 views

CVE-2025-40619

Bookgy suffers an improper access control vulnerability that could permit unauthenticated users to reach private or role-specific areas. The issue is described as insufficient authorization across multiple areas of the application, with a high impact on confidentiality (and a high impact on integ...

9.3CVSS6.8AI score0.00344EPSS
Exploits0References1Affected Software1
Tenable Nessus
Tenable Nessus
added 2025/02/07 12:0 a.m.8 views

Debian dla-4043 : openjdk-17-dbg - security update

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4043 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4043-1 [email protected] https://www.debian.org/lts/security/...

4.8CVSS6.6AI score0.00971EPSS
Exploits0References4
Debian
Debian
added 2025/02/03 6:42 p.m.11 views

[SECURITY] [DSA 5857-1] openjdk-17 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5857-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 03, 2025 https://www.debian.org/security/faq -...

4.8CVSS6.8AI score0.00971EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2024/10/05 12:0 a.m.11 views

Debian dsa-5785 : mediawiki - security update

The remote Debian 12 host has packages installed that are affected by a vulnerability as referenced in the dsa-5785 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-5785-1 [email protected] https://www.debian.org/security/ Moritz...

5.3CVSS5.5AI score0.00441EPSS
Exploits1References4
NVD
NVD
added 2024/08/01 6:15 a.m.13 views

CVE-2024-1747

The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack o...

6.5CVSS0.0018EPSS
Exploits1References1
CVE
CVE
added 2024/08/01 6:0 a.m.52 views

CVE-2024-1747

CVE-2024-1747 concerns the WooCommerce Customers Manager WordPress plugin. Multiple sources (NVD/Red Hat/CVE records) describe that products before version 30.2 suffer from missing authorization checks and CSRF protections in various AJAX actions, allowing authenticated users (e.g., subscribers) ...

6.5CVSS6AI score0.0018EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2024/07/19 6:0 a.m.10 views

CVE-2023-7268 ArtPlacer Widget < 2.21.2 - Subscriber+ Arbitrary Widget Deletion

The ArtPlacer Widget WordPress plugin before 2.21.2 does not have authorisation check in place when deleting widgets, allowing ay authenticated users, such as subscriber, to delete arbitrary widgets...

6.8AI score0.00397EPSS
Exploits1References1
Cvelist
Cvelist
added 2024/07/19 6:0 a.m.19 views

CVE-2023-7268 ArtPlacer Widget < 2.21.2 - Subscriber+ Arbitrary Widget Deletion

The ArtPlacer Widget WordPress plugin before 2.21.2 does not have authorisation check in place when deleting widgets, allowing ay authenticated users, such as subscriber, to delete arbitrary widgets...

0.00397EPSS
Exploits1References1
CVE
CVE
added 2024/06/28 6:0 a.m.56 views

CVE-2024-5570

CVE-2024-5570 affects the Simple Photoswipe WordPress plugin (version

6.5CVSS6.7AI score0.00547EPSS
Exploits2References1Affected Software1
Cvelist
Cvelist
added 2024/04/24 5:0 a.m.23 views

CVE-2024-1756 WooCommerce Customers Manager < 29.8 - Subscriber+ Email Disclosure

The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last name...

6.6AI score0.00319EPSS
Exploits2References1
CVE
CVE
added 2024/03/18 7:5 p.m.95 views

CVE-2024-0780

The CVE-2024-0780 affects the WordPress plugin Enjoy Social Feed (versions up to 6.2.2). The underlying issue is Broken Access Control: the database reset function lacks authorization, allowing any authenticated user (e.g., Subscribers) to reset the plugin’s database. Reported CVSS v3.1 base metr...

8.8CVSS6.6AI score0.0077EPSS
Exploits2References1Affected Software1
NVD
NVD
added 2024/02/27 9:15 a.m.15 views

CVE-2023-7202

The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its testerror AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF...

6.1CVSS6.2AI score0.00228EPSS
Exploits3References2
Pen Test Partners Blog
Pen Test Partners Blog
added 2024/02/07 6:57 a.m.19 views

Ski & bike helmets protect your head, not location or voice

TL;DR Livall smart ski and bike helmet app leaks the wearers real time position Group audio chat allows snooping on conversations Both issues are due to missing authorisation Bike app affects 1 million users, ski app affects a few thousand users Fixed by the vendor, but after we had to call on a...

7.3AI score
Exploits0
WPVulnDB
WPVulnDB
added 2024/01/24 12:0 a.m.18 views

12 Step Meeting List < 3.14.29 - Subscriber+ CSV Download

Description The plugin does not have authorisation in its csv AJAX action, allowing any authenticated users, such a subscriber to export meetings and gain access to sensitive information...

8.8CVSS6.2AI score0.00335EPSS
Exploits0References1
NVD
NVD
added 2024/01/22 8:15 p.m.9 views

CVE-2023-6384

The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar...

4.3CVSS4.8AI score0.00405EPSS
Exploits2References1
Cvelist
Cvelist
added 2024/01/22 7:14 p.m.16 views

CVE-2023-6384 WP User Profile Avatar < 1.0.1 - Author+ Avatar Deletion/Update via IDOR

The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar...

5.1AI score0.00405EPSS
Exploits2References1
CVE
CVE
added 2024/01/22 7:14 p.m.44 views

CVE-2023-6384

CVE-2023-6384 affects the WP User Profile Avatar WordPress plugin, vulnerable in versions before 1.0.1. The issue is an authorization/IDOR flaw that lets authors delete or update arbitrary avatars due to improper access checks. Impact is limited to avatar management (not full site compromise) as ...

4.3CVSS5.1AI score0.00405EPSS
Exploits2References1Affected Software1
GithubExploit
GithubExploit
added 2024/01/17 2:32 p.m.548 views

Exploit for Improper Input Validation in Kubernetes Ingress-Nginx

CVE-2023-5044 Ingress Nginx Exploit Proof-Of-Concept This is...

8.8CVSS9.1AI score0.56568EPSS
Exploits2
NVD
NVD
added 2024/01/16 4:15 p.m.19 views

CVE-2024-0238

The EventON Premium WordPress plugin before 4.5.6, EventON WordPress plugin before 2.2.8 do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata...

6.1CVSS6.4AI score0.00373EPSS
Exploits1References1
Rows per page
Query Builder