50 matches found
CVE-2024-6599
The Meks Video Importer plugin for WordPress is vulnerable to unauthorized API key modification due to a missing capability check on the ajaxsavesettings function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and...
CVE-2025-21752
CVE-2025-21752 (Linux kernel, Btrfs) The issue arises when modifying keys in the RAID stripe-tree using btrfs_set_item_key_safe, which can lead to tree corruption. The root cause of the tree-order issue is not clearly detailed in the provided documents. A practical mitigation suggested in the sou...
CVE-2024-12559 ClickDesigns <= 1.8.0 - Missing Authorization to API Key Modification or Removal
The ClickDesigns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clickdesignsaddapi' and the 'clickdesignsremoveapi' functions in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to...
CVE-2024-12559 ClickDesigns <= 1.8.0 - Missing Authorization to API Key Modification or Removal
The ClickDesigns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clickdesignsaddapi' and the 'clickdesignsremoveapi' functions in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to...
PT-2025-1895 · WordPress · Clickdesigns
Name of the Vulnerable Software and Affected Versions: ClickDesigns plugin for WordPress versions up to, and including, 1.8.0 Description: The issue allows unauthorized modification of data due to a missing capability check on the clickdesigns add api and the clickdesigns remove api functions. Th...
CVE-2024-7894 If Menu <= 0.19.1 - Missing Authorization to License Key Update
The If Menu plugin for WordPress is vulnerable to unauthorized modification of the plugin's license key due to a missing capability check on the 'actions' function in versions up to, and including, 0.19.1. This makes it possible for unauthenticated attackers to modify delete or modify the license...
CVE-2024-6599
The CVE affects Meks Video Importer for WordPress. Root cause: missing capability check in ajax_save_settings allows authenticated users with Subscriber+ to modify plugin API keys in all versions up to 1.0.11. Impact: unauthorized API key modification could enable misuse of the plugin’s API keys....
CVE-2024-3277 Yumpu ePaper publishing <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification
The Yumpu ePaper publishing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.0.24. This makes it possible for authenticated attackers, with subscriber-level access and abov...
PT-2024-24841 · WordPress · Yumpu Epaper Publishing Plugin
Name of the Vulnerable Software and Affected Versions: Yumpu ePaper publishing plugin for WordPress version 2.0.24 and earlier Description: The issue allows authenticated attackers with subscriber-level access and above to upload PDF files, publish them, and modify the API key due to a missing...
CVE-2023-2714
The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'checklicense' functions in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to...
PT-2023-20972 · WordPress · Groundhogg
Name of the Vulnerable Software and Affected Versions: Groundhogg plugin for WordPress versions up to, and including, 2.7.9.8 Description: The issue is related to a missing capability check on the check license functions, allowing authenticated attackers with subscriber-level permissions and abov...
CVE-2023-0328 WPCode < 2.0.7 - Contributor+ WPCode Library Auth Key Update/Deletion
The WPCode WordPress plugin before 2.0.7 does not have adequate privilege checks in place for several AJAX actions, only checking the nonce. This may lead to allowing any authenticated user who can edit posts to call the endpoints related to WPCode Library authentication such as update and delete...
GHSA-5GJM-FJ42-X983 etcd Cross-site Request Forgery (CSRF)
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe can't PUT from an HTML form or such but POST allows creating...
Cross-Site Request Forgery (CSRF)
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe can't PUT from an HTML form or such but POST allows creating...
CVE-2018-1098
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe can't PUT from an HTML form or such but POST allows creating...
Cross site request forgery (csrf)
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe can't PUT from an HTML form or such but POST allows creating...
CVE-2018-1098
CVE-2018-1098 affects etcd 3.3.1 and earlier, where CSRF allows an attacker to induce the etcd server to perform unauthorized actions by sending crafted POST requests via a malicious site. The description notes that PUT is safer for adding keys, but POST can be used to create in-order keys. The N...
CVE-2016-3984
The McAfee VirusScan Console mcconsol.exe in McAfee Active Response MAR before 1.1.0.161, Agent MA 5.x before 5.0.2 Hotfix 1110392 5.0.2.333, Data Exchange Layer 2.x DXL before 2.0.1.140.1, Data Loss Prevention Endpoint DLPe 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Device Control MDC 9.3...
Technology share: how to use Python and PyInstaller to write a Windows malicious code-vulnerability warning-the black bar safety net
Disclaimer: This article is intended to share, not for malicious use! This article mainly shows is through the use of python and PyInstaller to build the malicious software of some poc. ! Known to all, malicious software and more will continued to target of the attack. And this is on windows ther...
大汉网络 /jcms/interface/ldap/receive.jsp 接口未授权更改密钥
相关代码如下 if state.equals"S" //注册应用 boolean b = ldapBlf.writeXMLappname,enckey,ldapurl,webtype,ssourl,encrypttype; 未授权注册并覆盖了 enckey 得到 enckey 之后利用可以参照 https://www.sebug.net/vuldb/ssvid-90213...