48 matches found
EUVD-2024-44015
Malicious code in bioql PyPI...
EUVD-2022-43260
Malicious code in bioql PyPI...
CVE-2024-3477
The Popup Box WordPress plugin before 2.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via CSRF attacks...
CVE-2023-0503
The Free WooCommerce Theme 99fy Extension WordPress plugin before 1.2.8 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack...
CVE-2023-1087
The WC Sales Notification WordPress plugin before 1.2.3 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack...
CVE-2023-0504
The HT Politic WordPress plugin before 2.3.8 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack...
CVE-2024-8286
The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting visit logs via CSRF attacks...
CVE-2024-8286
The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting visit logs via CSRF attacks...
CVE-2023-2334
The edd-google-sheet-connector-pro WordPress plugin before 1.4, Easy Digital Downloads Google Sheet Connector WordPress plugin before 1.6.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a...
CVE-2024-8286
The CVE-2024-8286 entry concerns the WordPress plugin webtoffee-gdpr-cookie-consent prior to version 2.6.1, which reportedly lacks CSRF checks in certain bulk actions. Public sources in the connected documents confirm that this could allow an attacker to cause logged-in admins to perform unintend...
CVE-2024-12774
The Altra Side Menu WordPress plugin through 2.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary menu via a CSRF attack...
CVE-2024-8093
The Posts reminder WordPress plugin through 0.20 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
CVE-2024-7861
The Misiek Paypal WordPress plugin through 1.1.20090324 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
CVE-2024-7689
The Snapshot Backup WordPress plugin through 2.1.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...
CVE-2024-4751
The WP Prayer II WordPress plugin through 2.4.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...
CVE-2024-3478
The CVE CVE-2024-3478 affects the WordPress plugin Herd Effects. It explains that the plugin, prior to version 5.2.7, lacks CSRF checks in certain bulk actions, enabling a logged-in attacker to coerce an admin into performing unintended actions (e.g., deleting effects) via CSRF attacks. Public so...
CVE-2024-3474
CVE-2024-3474 concerns the WordPress plugin Wow Skype Buttons (versions before 4.0.4). The issue is a CSRF vulnerability in certain bulk actions that can let an authenticated, logged-in admin perform unauthorized operations, such as deleting buttons, via crafted requests. Public descriptions in R...
ENL Newsletter <= 1.0.1 - Campaign Deletion via CSRF
Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary Campaigns via a CSRF attack PoC Make an admin open a URL like where is a valid ID: http://example.com/wp-admin/admin.php?page=enl-campaigns=campaign-delete=...
DeepL Pro API translation < 2.4.1.2 - Log Pruning via CSRF
Description The plugin does not have CSRF checks when pruning logs, which could allow attackers to make logged in admins perform such action via a CSRF attack...
Thumbnail Slider With Lightbox < 1.0.1 - Arbitrary File Upload via CSRF
Description The plugin does not have CSRF check in the addedit feature, which could allow attackers to make logged in admins upload arbitrary files via a CSRF attack...