3 matches found
CVE-2021-24994
The Migration, Backup, Staging WordPress plugin before 0.9.69 does not have authorisation when adding remote storages, and does not sanitise as well as escape a parameter from such unauthenticated requests before outputting it in admin page, leading to a Stored Cross-Site Scripting issue...
TF Random Numbers < 2.0.1 - Subscriber+ Arbitrary Option Update
The plugin does not have authorisation and CSRF check in an AJAX action, and does not ensure that the options to be updated belong to the plugin. As a result, it could allow any authenticated users, such as subscriber, to update arbitrary blog options, such as enabling registration and set the...
miniOrange Discord Integration < 2.1.6 - Subscriber+ App Disabling
The plugin does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example PoC Run the below command in the developer console of the web browser while being on the blog as any user, such as subscriber...