90 matches found
CVE-2023-6139
The Essential Real Estate WordPress plugin before 4.4.0 does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Denial of Service attacks...
CVE-2021-4388
The Opal Estate plugin for WordPress is vulnerable to featured property modifications in versions up to, and including, 1.6.11. This is due to missing capability checks on the opalestatesetfeatureproperty and opalestateremovefeatureproperty functions. This makes it possible for unauthenticated...
CVE-2023-2275
The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to unauthorized access of data and addition of data due to a missing capability check on the 'getitem', 'getordernotes' and 'addordernote' functions in versions up to, and including, 1.5.3. This makes it possibl...
PT-2023-12488 · WordPress · Doneren Met Mollie
Name of the Vulnerable Software and Affected Versions: Doneren met Mollie plugin for WordPress versions up to and including 2.8.5 Description: The issue concerns Sensitive Data Exposure due to missing capability checks in the dmm export donations function, which is called via the admin post dmm...
CVE-2020-36667
The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to unauthorized back-up location changes in versions up to, and including 1.4.1 due to a lack of proper capability checking on the backupguardclouddropbox, backupguardcloudgdrive, and backupguardcloudoneDrive function...
CVE-2021-24783
The Post Expirator WordPress plugin before 2.6.0 does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts...
CVE-2021-24618
The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting XSS. Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated...
CVE-2021-24504
The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any use...
CVE-2021-24355
In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, the lack of capability checks and insufficient nonce check on the AJAX actions, simple301redirects/admin/getwildcard and simple301redirects/admin/wildcard, made it possible for authenticated users to retrieve and update the...
Portfolio Filter Gallery < 1.1.3 - CSRF & Reflected XSS
Lack of CSRF checks on the Filters page could allow attackers to add/edit/update/delete categories and delete all categories, as well as perform reflected XSS attacks. v1.0.8 fixed the reflected XSS, however no CSRF check on delete and deleteallcategory actions v1.1.0 released, no additional fix...