Lucene search
+L

5304 matches found

CVE
CVE
added 2021/11/01 8:46 a.m.56 views

CVE-2021-24717

The CVE-2021-24717 entry concerns the AutomatorWP WordPress plugin pre-1.7.6, where missing authorization checks allow Subscriber-role users to enumerate automations, disclose private post titles or user emails, call functions, or perform privilege escalation via Ajax actions. Root cause: lack of...

8.8CVSS8.9AI score0.01294EPSS
Exploits2References1Affected Software1
Prion
Prion
added 2021/10/21 8:15 p.m.24 views

Deserialization of untrusted data

Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wpajaxheateorsssimportconfig AJAX action due to deserialization of unvalidated user supplied inputs via the importconfig function found in the /admin/class-sassy-social-share-admin.php file. Th...

6.5CVSS8.7AI score0.01976EPSS
Exploits2References3Affected Software1
Vulnrichment
Vulnrichment
added 2021/10/21 7:38 p.m.14 views

CVE-2021-39321 Sassy Social Share 3.3.23 PHP Object Injection

Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wpajaxheateorsssimportconfig AJAX action due to deserialization of unvalidated user supplied inputs via the importconfig function found in the /admin/class-sassy-social-share-admin.php file. Th...

8.8CVSS8.7AI score0.01976EPSS
Exploits2References3
Cvelist
Cvelist
added 2021/10/21 7:38 p.m.28 views

CVE-2021-39321 Sassy Social Share 3.3.23 PHP Object Injection

Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wpajaxheateorsssimportconfig AJAX action due to deserialization of unvalidated user supplied inputs via the importconfig function found in the /admin/class-sassy-social-share-admin.php file. Th...

8.8CVSS8.9AI score0.01976EPSS
Exploits2References3
CVE
CVE
added 2021/10/18 1:46 p.m.78 views

CVE-2021-24752

CVE-2021-24752 affects multiple CatchThemes plugins that fail capability and CSRF checks in the ctp_switch AJAX action. This allows any authenticated user (e.g., Subscriber) to alter plugin settings for: Essential Widgets (≤1.9), To Top (≤2.3), Header Enhancement (≤1.5), Generate Child Theme (≤1....

5.7CVSS5.3AI score0.00408EPSS
Exploits2References1Affected Software10
NVD
NVD
added 2021/10/11 4:15 p.m.19 views

CVE-2021-39317

A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the pluginofflineinstaller AJAX action due to a missing capability check in the pluginofflineinstallercallback function found in the /demo-functions.php file or /welcome.ph...

8.8CVSS0.01652EPSS
Exploits2References4
OSV
OSV
added 2021/10/11 4:15 p.m.22 views

CVE-2021-39317

A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the pluginofflineinstaller AJAX action due to a missing capability check in the pluginofflineinstallercallback function found in the /demo-functions.php file or /welcome.ph...

8.8CVSS6.4AI score
Exploits0References4
Prion
Prion
added 2021/10/11 4:15 p.m.16 views

Design/Logic Flaw

A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the pluginofflineinstaller AJAX action due to a missing capability check in the pluginofflineinstallercallback function found in the /demo-functions.php file or /welcome.ph...

6.5CVSS8.4AI score0.01652EPSS
Exploits2References4Affected Software43
Cvelist
Cvelist
added 2021/10/11 3:48 p.m.15 views

CVE-2021-39317 AccessPress Themes - Authenticated Malicious File Upload

A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the pluginofflineinstaller AJAX action due to a missing capability check in the pluginofflineinstallercallback function found in the /demo-functions.php file or /welcome.ph...

8.8CVSS8.8AI score0.01652EPSS
Exploits2References4
Positive Technologies
Positive Technologies
added 2021/10/11 12:0 a.m.7 views

PT-2021-22526 · Accesspress · Accesspress-Parallax +6

Name of the Vulnerable Software and Affected Versions: AccessPress Demo Importer versions 1.0.6 and earlier accesspress-basic versions 3.2.1 and earlier accesspress-lite versions 2.92 and earlier accesspress-mag versions 2.6.5 and earlier accesspress-parallax version 4.5 accesspress-root version...

8.8CVSS8.3AI score0.01652EPSS
Exploits2References9
WPVulnDB
WPVulnDB
added 2021/10/06 12:0 a.m.20 views

Access Demo Importer < 1.0.7 - Subscriber+ Arbitrary File Upload

Versions up to, and including, 1.0.6, of the Access Demo Importer WordPress plugin are vulnerable to arbitrary file uploads via the pluginofflineinstaller AJAX action due to a missing capability check in the pluginofflineinstallercallback functionfound in the /inc/demo-functions.php file along wi...

8.8CVSS1.7AI score0.01652EPSS
Exploits2References1Affected Software1
OSV
OSV
added 2021/10/04 6:15 p.m.3 views

CVE-2021-39347

The Stripe for WooCommerce WordPress plugin is missing a capability check on the save function found in the /includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases...

4.3CVSS5.6AI score0.00648EPSS
Exploits0References2
NVD
NVD
added 2021/10/04 6:15 p.m.15 views

CVE-2021-39347

The Stripe for WooCommerce WordPress plugin is missing a capability check on the save function found in the /includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases...

4.3CVSS0.00648EPSS
Exploits0References2
Cvelist
Cvelist
added 2021/10/04 5:21 p.m.17 views

CVE-2021-39347 Stripe for WooCommerce 3.0.0 - 3.3.9 Missing Authorization Controls to Financial Account Hijacking

The Stripe for WooCommerce WordPress plugin is missing a capability check on the save function found in the /includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases...

4.3CVSS4.8AI score0.00648EPSS
Exploits0References2
WPVulnDB
WPVulnDB
added 2021/10/04 12:0 a.m.14 views

Logo Slider and Showcase < 1.3.37 - Editor Plugin's Settings Update

The plugin allows Editor users to update the plugin's settings via the rtWLSSettings AJAX action because it uses a nonce for authorisation instead of a capability check. PoC - As Editor, go to Logo Showcase - Shortcode Generator - Run...

6.5CVSS3.3AI score0.0083EPSS
Exploits2Affected Software1
NVD
NVD
added 2021/08/23 12:15 p.m.24 views

CVE-2021-24555

The daacdeletebookingcallback function, hooked to the daacdeletebooking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and...

8.8CVSS0.00821EPSS
Exploits2References2
Prion
Prion
added 2021/08/23 12:15 p.m.13 views

Sql injection

The daacdeletebookingcallback function, hooked to the daacdeletebooking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and...

6.5CVSS8.9AI score0.00821EPSS
Exploits2References2Affected Software1
Cvelist
Cvelist
added 2021/08/23 11:10 a.m.27 views

CVE-2021-24555 Diary & Availability Calendar <= 1.0.3 - Authenticated (subscriber+) SQL Injection

The daacdeletebookingcallback function, hooked to the daacdeletebooking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and...

9.2AI score0.00821EPSS
Exploits2References2
CVE
CVE
added 2021/08/23 11:10 a.m.50 views

CVE-2021-24555

CVE-2021-24555 affects the WordPress plugin “Diary & Availability Calendar” (

8.8CVSS9AI score0.00821EPSS
Exploits2References2Affected Software1
wpexploit
wpexploit
added 2021/08/19 12:0 a.m.620 views

Donate With QRCode < 1.4.5 - Stored Cross-Site Scripting

The plugin does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting XSS. Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user as low as subscriber, or unauthenticat...

5.4CVSS5.3AI score0.00386EPSS
Exploits2
Rows per page
Query Builder