338 matches found
Wordfence Intelligence CE Weekly Vulnerability Report (1-30-2023 to 2-5-2023)
In case you missed it, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme and, plugin vulnerabilities known as Wordfence Intelligence Community Edition. This database is continuously updated, maintained, and populated by Wordfences highly...
Magazine Edge <= 1.13 - Subscriber+ Arbitrary Plugin Activation
The theme does not have authorisation and CSRF when activating plugins via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary plugins Run the below command in the developer console of the web browser while being on the blog as a subscriber user...
Magazine Edge <= 1.13 - Subscriber+ Arbitrary Plugin Activation
The theme does not have authorisation and CSRF when activating plugins via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary plugins PoC Run the below command in the developer console of the web browser while being on the blog as a subscriber user...
CVE-2022-4701 Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Plugin Activation
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpractivaterequiredplugins' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the...
CVE-2022-4701 Royal Elementor Addons <= 1.3.59 - Insufficient Access Control to Plugin Activation
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpractivaterequiredplugins' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the...
Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Plugin Activation
The plugin does not have authorisation and CSRF checks when activating plugins, which could allow any authenticated user, such as subscriber to perform such action...
PT-2023-15131 · WordPress · Media Library Assistant +3
Name of the Vulnerable Software and Affected Versions: The Royal Elementor Addons plugin for WordPress versions up to, and including, 1.3.59 Description: The issue is related to insufficient access control in the 'wpr activate required plugins' AJAX action. This allows any authenticated user,...
CVE-2022-3879
The Car Dealer Dealership and Vehicle sales WordPress Plugin WordPress plugin before 3.05 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org...
PT-2022-24582 · WordPress · Memory Usage
Name of the Vulnerable Software and Affected Versions: Memory Usage, Memory Limit, PHP and Server Memory Health Check and Fix Plugin WordPress plugin versions prior to 2.46 Description: The issue concerns a lack of proper authorization and CSRF protection in an AJAX action. This allows any...
PT-2022-23613 · WordPress · Advanced Import
Name of the Vulnerable Software and Affected Versions: Advanced Import WordPress plugin versions prior to 1.3.8 Description: The issue concerns a lack of CSRF check in the Advanced Import WordPress plugin, allowing attackers to make a logged-in admin install arbitrary plugins from WordPress.org a...
CVE-2022-1656
Vulnerable versions of the JupiterX Theme =2.0.6 allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterxapiajax actions registered by the JupiterX Core Plugin =2.0.6. This includes the...
Subrion CMS CSRF Vulnerability
Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can remotely activate/deactivate the plugins...
WordPress plugin Access Demo Importer cross-site request forgery vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. WordPress plugin Access Demo Importer 1.0.7 and earlier versions are vulnerable to cross-site request...
CVE-2022-23975
Cross-Site Request Forgery CSRF in Access Demo Importer = 1.0.7 on WordPress allows an attacker to activate any installed plugin...
CVE-2022-23975
Cross-Site Request Forgery CSRF in Access Demo Importer = 1.0.7 on WordPress allows an attacker to activate any installed plugin...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF in Access Demo Importer = 1.0.7 on WordPress allows an attacker to activate any installed plugin...
CVE-2022-23975 WordPress Access Demo Importer plugin <= 1.0.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Plugin Activation
Cross-Site Request Forgery CSRF in Access Demo Importer = 1.0.7 on WordPress allows an attacker to activate any installed plugin...
WordPress The Events Calendar Search Addon plugin <= 1.1.3 - Arbitrary Plugin Activation vulnerability
Arbitrary Plugin Activation vulnerability discovered by Jerome Bruandet NinTechNet in WordPress The Events Calendar Search Addon plugin versions = 1.1.3. Solution Update the WordPress The Events Calendar Search Addon plugin to the latest available version at least 1.2.1...
WordPress Event Single Page Templates Addon For The Events Calendar plugin <= 1.5 - Arbitrary Plugin Activation vulnerability
Arbitrary Plugin Activation vulnerability discovered by Jerome Bruandet NinTechNet in WordPress Event Single Page Templates Addon For The Events Calendar plugin versions = 1.5. Solution Update the WordPress Event Single Page Templates Addon For The Events Calendar plugin to the latest available...
WordPress The Events Calendar Countdown Addon plugin <= 1.3.1 - Arbitrary Plugin Activation vulnerability
Arbitrary Plugin Activation vulnerability discovered by Jerome Bruandet NinTechNet in WordPress The Events Calendar Countdown Addon plugin versions = 1.3.1. Solution Update the WordPress The Events Calendar Countdown Addon plugin to the latest available version at least 1.4...