345 matches found
CVE-2023-33923 Broken Access Control leading to Arbitrary Plugin Activation in multiple HashThemes themes
Missing Authorization vulnerability in HashThemes Viral News, HashThemes Viral, HashThemes HashOne.This issue affects Viral News: from n/a through 1.4.5; Viral: from n/a through 1.8.0; HashOne: from n/a through 1.3.0...
CVE-2024-0767
The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the ajaxpluginactivation function. This makes it possible for unauthenticated...
CVE-2024-0767 Envo's Elementor Templates & Widgets for WooCommerce <= 1.4.4 - Cross-Site Request Forgery via ajax_plugin_activation
The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the ajaxpluginactivation function. This makes it possible for unauthenticated...
CVE-2024-0767 Envo's Elementor Templates & Widgets for WooCommerce <= 1.4.4 - Cross-Site Request Forgery via ajax_plugin_activation
The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the ajaxpluginactivation function. This makes it possible for unauthenticated...
CVE-2024-0767
CVE-2024-0767 (Envo's Elementor Templates & Widgets for WooCommerce) is a CSRF in the plugin’s ajax_plugin_activation path that can let unauthenticated attackers activate arbitrary plugins if an admin is tricked into performing an action. The vulnerability affects WordPress installations using th...
PT-2024-15804 · Envo · Elementor Templates & Widgets For Woocommerce
Name of the Vulnerable Software and Affected Versions: The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress versions up to, and including, 1.4.4 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the ajax plugin...
Envo's Elementor Templates & Widgets for WooCommerce < 1.4.5 - Arbitrary Plugin Activation via CSRF
Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the ajaxpluginactivation function, allowing unauthenticated attackers to activate arbitrary installed plugins via a forged request granted they can trick a site administrator into...
Exploit for Missing Authorization in Xlplugins Nextmove
CVE-2024-25092 NextMove Lite 2.18.0 - Subscriber+ Arbitra...
CVE-2024-0679
The ColorMag theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the pluginactioncallback function in all versions up to, and including, 3.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to install and...
WordPress Ocean Extra Plugin < 2.2.3 CSRF Vulnerability
The WordPress plugin SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:oceanwp:oceanextra"; if description...
Futurio Extra < 1.9.1 - Arbitrary Plugin Activation via CSRF
Description The plugin does not have CSRF check when activating plugins, which could allow attackers to make logged in admins perform such action via a CSRF attack...
CVE-2023-40201
Cross-Site Request Forgery CSRF vulnerability in FuturioWP Futurio Extra plugin = 1.8.4 versions leads to activation of arbitrary plugin...
CVE-2023-40201
Cross-Site Request Forgery CSRF vulnerability in FuturioWP Futurio Extra plugin = 1.8.4 versions leads to activation of arbitrary plugin...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in FuturioWP Futurio Extra plugin = 1.8.4 versions leads to activation of arbitrary plugin...
PT-2023-27320 · WordPress · Futurio Extra
Name of the Vulnerable Software and Affected Versions: FuturioWP Futurio Extra plugin versions 1.8.4 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows the activation of arbitrary plugins. This can be exploited by tricking a user into performing...
AffiliateWP < 2.14.1 - Subscriber+ Arbitrary Plugin Activation
Description The theme does not have authorisation and CSRF when activating plugins via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary plugins...
CVE-2023-4600
The AffiliateWP for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'affwpactivateaddonspageplugin' function called via an AJAX action in versions up to, and including, 2.14.0. This makes it possible for authenticated attackers, with...
CVE-2023-4600
The AffiliateWP for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'affwpactivateaddonspageplugin' function called via an AJAX action in versions up to, and including, 2.14.0. This makes it possible for authenticated attackers, with...
Design/Logic Flaw
The AffiliateWP for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'affwpactivateaddonspageplugin' function called via an AJAX action in versions up to, and including, 2.14.0. This makes it possible for authenticated attackers, with...
CVE-2023-4600
The AffiliateWP for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'affwpactivateaddonspageplugin' function called via an AJAX action in versions up to, and including, 2.14.0. This makes it possible for authenticated attackers, with...