Lucene search
K

43 matches found

RedhatCVE
RedhatCVE
added 2025/05/22 7:24 p.m.6 views

CVE-2021-24905

The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7dbeditscrfiledelete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the...

8CVSS7.6AI score0.00721EPSS
Exploits2References1
OSV
OSV
added 2024/06/21 6:15 a.m.3 views

CVE-2024-4382

The CB legacy WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF attacks...

6.5CVSS5.8AI score0.00209EPSS
Exploits2References1
OSV
OSV
added 2024/05/27 6:15 a.m.1 views

CVE-2024-4530

The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing card categories via CSRF attacks...

6.3CVSS5.8AI score
Exploits0References1
OSV
OSV
added 2024/01/16 4:15 p.m.4 views

CVE-2023-6373

The ArtPlacer Widget WordPress plugin before 2.20.7 does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above. Note: Due to the lack of CSRF check, the issue could also be exploited via a CSRF against a logged editor or above...

8.8CVSS7.3AI score0.00415EPSS
Exploits2References1
OSV
OSV
added 2023/12/26 7:15 p.m.4 views

CVE-2023-5991

The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server...

9.8CVSS5.9AI score0.03313EPSS
Exploits2References1
OSV
OSV
added 2023/07/10 4:15 p.m.4 views

CVE-2023-1597

The tagDiv Cloud Library WordPress plugin before 2.7 does not have authorisation and CSRF in an AJAX action accessible to both unauthenticated and authenticated users, allowing unauthenticated users to change arbitrary user metadata, which could lead to privilege escalation by setting themselves ...

8.8CVSS7.4AI score0.00474EPSS
Exploits2References1
OSV
OSV
added 2022/11/07 10:15 a.m.5 views

CVE-2022-3451

The Product Stock Manager WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options...

4.3CVSS5.9AI score0.00264EPSS
Exploits2References1
OSV
OSV
added 2022/08/22 3:15 p.m.5 views

CVE-2021-24912

The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tptranslation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scriptin...

5.4CVSS7.3AI score0.00304EPSS
Exploits3References1
OSV
OSV
added 2022/06/27 9:15 a.m.4 views

CVE-2022-1574

The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files such as PHP on the remote server...

9.8CVSS5.9AI score0.11866EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2022/06/13 12:0 a.m.4 views

PT-2022-9671 · WordPress · Enqueue Anything

Name of the Vulnerable Software and Affected Versions: Enqueue Anything WordPress plugin versions 1.0.0 through 1.0.1 Description: The issue is related to the lack of authorization and CSRF checks in the remove asset AJAX action. This allows low-privilege users, such as subscribers, to delete...

6.5CVSS6.3AI score0.00408EPSS
Exploits2References4
ATTACKERKB
ATTACKERKB
added 2022/05/02 4:15 p.m.4 views

CVE-2022-0952

The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as...

8.8CVSS7.7AI score0.13329EPSS
Exploits2References3
OSV
OSV
added 2022/04/25 4:16 p.m.4 views

CVE-2022-1092

The myCred WordPress plugin before 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog...

4.3CVSS5.8AI score0.00415EPSS
Exploits1References1
OSV
OSV
added 2022/04/18 6:15 p.m.4 views

CVE-2022-1020

The Product Table for WooCommerce wooproducttable WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wptadminupdatenoticeoption AJAX action available to both unauthenticated and authenticated users, as well as does not validate the callback parameter, allowing...

9.8CVSS5.9AI score0.26586EPSS
Exploits2References1
OSV
OSV
added 2022/03/14 3:15 p.m.3 views

CVE-2021-24950

The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insightcustomizeroptionsimport available to any authenticated user, does not validate user input before passing it to unserialize, nor sanitise and escape it before outputting it in the response. ...

5.4CVSS5.8AI score0.00516EPSS
Exploits2References1
OSV
OSV
added 2022/03/14 3:15 p.m.4 views

CVE-2021-24958

The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the mekssavebusinessselectedaccount AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could...

5.4CVSS5.8AI score0.00591EPSS
Exploits2References1
OSV
OSV
added 2022/02/28 9:15 a.m.6 views

CVE-2021-24971

The WP Responsive Menu WordPress plugin before 3.1.7.1 does not have capability and CSRF checks in the wprliveupdate AJAX action, as well as do not sanitise and escape some of the data submitted. As a result, any authenticated, such as subscriber could update the plugin's settings and perform...

5.4CVSS6.1AI score0.00591EPSS
Exploits2References1
OSV
OSV
added 2022/02/21 11:15 a.m.2 views

CVE-2022-0164

The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its comingsoonsendmail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users...

4.3CVSS5.9AI score0.00344EPSS
Exploits2References2
OSV
OSV
added 2022/02/07 4:15 p.m.3 views

CVE-2021-24993

The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example...

6.5CVSS5.9AI score0.00469EPSS
Exploits2References2
OSV
OSV
added 2022/01/17 1:15 p.m.4 views

CVE-2021-25025

The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the addcalendarevent AJAX actions, allowing users with a role as low as subscriber to create events...

4.3CVSS5.8AI score0.00347EPSS
Exploits2References1
CNNVD
CNNVD
added 2021/11/01 12:0 a.m.6 views

WordPress plugin Accept Donations with PayPal 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blogs on PHP and MySQL servers. A cross-site scripting vulnerability exists in the...

4.3CVSS4.8AI score0.00487EPSS
Exploits2References2
Rows per page
Query Builder