PT-2024-22980 · WordPress · Essential Addons For Elementor

Name of the Vulnerable Software and Affected Versions: The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress versions up to, and including, 5.9.13 Description: The issue allows unauthenticated attackers to extract sensitive data,...

Essential Addons for Elementor < 5.9.14 - Unauthenticated Private/Draft Posts Access

Description The plugin is vulnerable to Sensitive Information Exposure via the loadmore function. This can allow unauthenticated attackers to extract sensitive data including private and draft posts...

Newsmatic < 1.3.5 - Unauthenticated Information Exposure via newsmatic_filter_posts_load_tab_content

Description The Newsmatic theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.0 via the 'newsmaticfilterpostsloadtabcontent'. This makes it possible for unauthenticated attackers to view draft posts and post content...

CVE-2024-1857

The Ultimate Gift Cards for WooCommerce – Create, Redeem & Manage Digital Gift Certificates with Personalized Templates plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.6 via the wpswgmpreviewemailtemplate. This makes it possible for...

CVE-2024-1452

The GenerateBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.2 via Query Loop. This makes it possible for authenticated attackers, with contributor access and above, to see contents of posts and pages in draft or private status ...

CVE-2024-0839

The FeedWordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2022.0222 due to missing validation on the user controlled 'guid' key. This makes it possible for unauthenticated attackers to view draft posts that may contain sensitive...

Cross site request forgery (csrf)

The Related Posts for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the handlecreatelink function. This makes it possible for unauthenticated attackers to add related...

Input validation

The FeedWordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2022.0222 due to missing validation on the user controlled 'guid' key. This makes it possible for unauthenticated attackers to view draft posts that may contain sensitive...

CVE-2024-0592 Related Posts for WordPress <= 2.2.1 - Cross-Site Request Forgery

The Related Posts for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the handlecreatelink function. This makes it possible for unauthenticated attackers to add related...

CVE-2024-0592 Related Posts for WordPress <= 2.2.1 - Cross-Site Request Forgery

The Related Posts for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the handlecreatelink function. This makes it possible for unauthenticated attackers to add related...

Related Posts for WordPress < 2.2.2 - Cross-Site Request Forgery

Description The Related Posts for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the handlecreatelink function. This makes it possible for unauthenticated attackers to...

PT-2024-18083 · WordPress · Wp Show Posts

Name of the Vulnerable Software and Affected Versions: WP Show Posts plugin for WordPress versions up to, and including, 1.1.4 Description: The issue allows authenticated attackers with contributor access and above to view the contents of draft, trash, future, private, and pending posts and pages...

Default credentials

The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the 'getposts' REST API Endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including full draft...

PT-2024-15200 · WordPress · The Post Grid Combo – 36+ Gutenberg Blocks

Name of the Vulnerable Software and Affected Versions: The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress versions up to, and including, 2.2.68 Description: The issue allows unauthenticated attackers to extract sensitive data, including full draft posts and password-protected posts, ...

BIT-GHOST-2023-26510

Ghost 5.35.0 allows authorization bypass: contributors can view draft posts of other users, which is arguably inconsistent with a security policy in which a contributor's draft can only be read by editors until published by an editor. NOTE: the vendor's position is that this behavior has no...

CVE-2024-0421

The MapPress Maps for WordPress plugin before 2.88.16 is affected by an IDOR as it does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts...

CVE-2024-0421 MapPress Maps for WordPress < 2.88.16 - Unauthenticated Arbitrary Private/Draft Post Disclosure

The MapPress Maps for WordPress plugin before 2.88.16 is affected by an IDOR as it does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts...

PT-2024-15544 · WordPress · Mappress Maps

Name of the Vulnerable Software and Affected Versions: MapPress Maps for WordPress versions prior to 2.88.16 Description: The issue affects the MapPress Maps for WordPress plugin, allowing unauthenticated users to read arbitrary private and draft posts due to an Insecure Direct Object Reference...

WordPress Plugin MapPress Maps Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability previously existed...

CVE-2024-0596

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the editorhtml function in all versions up to, and including, 6.1.7. This makes it possible for authenticated attackers, with...