Bulk Datetime Change < 1.12 - Missing Authorisation

The plugin does not enforce capability checks which allows users with Contributor roles to 1 list private post titles of other users and 2 change the posted date of other users' posts. PoC Run on "Bulk Datetime Change" page:...

Bulk Datetime Change < 1.12 - Missing Authorisation

The plugin does not enforce capability checks which allows users with Contributor roles to 1 list private post titles of other users and 2 change the posted date of other users' posts. Run on "Bulk Datetime Change" page: jQuery.post"https://example.com/wp-admin/admin.php?page=bulkdatetimechange",...

Countdown Block < 1.1.2 - Missing Authorisation in AJAX action

The plugin does not have authorisation in the ebwriteblockcss AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users. v1.1.1 attempt to fix the issue was incomplete, still allowing it to be exploited via a CSRF attack on an admin due to a...

WordPress Countdown Block plugin <= 1.1.1 - Missing Authorisation in AJAX action vulnerability

Missing Authorisation in AJAX action vulnerability discovered by apple502j in WordPress Countdown Block plugin versions = 1.1.1. Solution Update the WordPress Countdown Block plugin to the latest available version at least 1.1.2...