EUVD-2022-42730

Malicious code in bioql PyPI...

CVE-2022-1323

The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discyupdateoptions action, allowing any logged in users with privileges as low as Subscriber, to change Theme options by sending a crafted POST request...

CVE-2022-1422

The Discy WordPress theme before 5.2 does not check for CSRF tokens in the AJAX action discyresetoptions, allowing an attacker to trick an admin into resetting the site settings back to defaults...

CVE-2022-1421

The Discy WordPress theme before 5.2 lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary 's settings including payment methods via a CSRF attack...

CVE-2022-3343

The WPQA Builder WordPress plugin before 5.9.3 which is a companion plugin used with Discy and Himer Discy WordPress themes incorrectly tries to validate that a user already follows another in the wpqafollowingyouajax action, allowing a user to inflate their score on the site by having another us...

Design/Logic Flaw

The WPQA Builder WordPress plugin before 5.9.3 which is a companion plugin used with Discy and Himer Discy WordPress themes incorrectly tries to validate that a user already follows another in the wpqafollowingyouajax action, allowing a user to inflate their score on the site by having another us...

WPQA < 5.9.3 - Missing validation lead to functionality abuse

The plugin which is a companion plugin used with Discy and Himer themes incorrectly tries to validate that a user already follows another in the wpqafollowingyouajax action, allowing a user to inflate their score on the site by having another user send repeated follow actions to them. PoC...

CVE-2022-2198

The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced...

CVE-2022-2198

CVE-2022-2198 affects the WPQA Builder WordPress plugin prior to 5.7. The issue is an authorization bug: any logged-in user can read another user’s private messages by guessing the message id, due to missing access checks. Impact is disclosure of private messages; the advisory does not quantify b...

CVE-2022-1323

The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discyupdateoptions action, allowing any logged in users with privileges as low as Subscriber, to change Theme options by sending a crafted POST request...

CVE-2022-1323

The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discyupdateoptions action, allowing any logged in users with privileges as low as Subscriber, to change Theme options by sending a crafted POST request...

CVE-2022-1323

The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discyupdateoptions action, allowing any logged in users with privileges as low as Subscriber, to change Theme options by sending a crafted POST request...

Authorization

The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discyupdateoptions action, allowing any logged in users with privileges as low as Subscriber, to change Theme options by sending a crafted POST request...

CVE-2022-1323 Discy < 5.0 - Subscriber+ Broken Access Control to change settings

The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discyupdateoptions action, allowing any logged in users with privileges as low as Subscriber, to change Theme options by sending a crafted POST request...

CVE-2022-1323

The CVE-2022-1323 entry concerns the Discy WordPress theme prior to version 5.0, where a lack of authorization checks in the handling of the discy_update_options AJAX action allows any logged-in user (privilege as low as Subscriber) to modify theme options via a crafted POST to admin-ajax.php. Th...

WordPress Plugin Discy 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A code issue vulnerability exists in...

WordPress theme Discy 访问控制错误漏洞

WordPress is a blogging platform developed in PHP by the WordPress Foundation. The platform supports personal blog sites on servers running PHP and MySQL.WordPress theme is a theme for WordPress. An Access Control Error vulnerability exists in WordPress theme Discy prior to version 5.0, which ste...

PT-2022-13797 · WordPress · Discy

Name of the Vulnerable Software and Affected Versions: Discy WordPress theme versions prior to 5.0 Description: The issue allows any logged-in users, with privileges as low as Subscriber, to change theme options by sending a crafted POST request to the "discy update options" action due to a lack ...

WordPress Discy premium theme <= 4.9 - Broken Access Control to change settings vulnerability

Broken Access Control to change settings vulnerability discovered by Veshraj Ghimire in WordPress Discy premium theme versions = 4.9. Solution Update the WordPress Discy theme to the latest available version at least 5.0...

Discy < 5.0 - Subscriber+ Broken Access Control to change settings

The theme lacks authorization checks then processing ajax requests to the discyupdateoptions action, allowing any logged in users with privileges as low as Subscriber, to change the theme options by sending a crafted POST request. POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type:...