121 matches found
CVE-2021-24906 Protect WP Admin < 3.6.2 - Unauthenticated Plugin Deactivation
The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin and therefore the protection offered via a crafted request...
WordPress FotoGraphy theme <= 2.4.0 - Cross-Site Request Forgery (CSRF) leading to Arbitrary Plugin Activation/Deactivation
Cross-Site Request Forgery CSRF leading to Arbitrary Plugin Activation/Deactivation discovered by Ex.Mi Patchstack in WordPress FotoGraphy theme versions = 2.4.0. Solution Deactivate and delete. The vendor ignores the vulnerability reports avoids any conversation...
WordPress Zigcy Cosmetics <= 1.0.5 - Cross-Site Request Forgery (CSRF) leading to Arbitrary Plugin Activation/Deactivation
Cross-Site Request Forgery CSRF leading to Arbitrary Plugin Activation/Deactivation discovered by Ex.Mi Patchstack in WordPress Zigcy Cosmetics versions = 1.0.5. Solution Deactivate and delete. The vendor ignores the vulnerability reports avoids any conversation...
WordPress Ripple theme <= 1.2.0 - Cross-Site Request Forgery (CSRF) leading to Arbitrary Plugin Activation/Deactivation
Cross-Site Request Forgery CSRF leading to Arbitrary Plugin Activation/Deactivation discovered by Ex.Mi Patchstack in WordPress Ripple theme versions = 1.2.0. Solution Deactivate and delete. The vendor ignores the vulnerability reports avoids any conversation...
WordPress The Monday theme <= 1.4.1 - Cross-Site Request Forgery (CSRF) leading to Arbitrary Plugin Activation/Deactivation discovered by Ex.Mi (Patchstack) in
Cross-Site Request Forgery CSRF leading to Arbitrary Plugin Activation/Deactivation discovered by Ex.Mi Patchstack in WordPress The Monday theme versions = 1.4.1. Solution Deactivate and delete. The vendor ignores the vulnerability reports avoids any conversation...
Protect WP Admin < 3.6.2 - Unauthenticated Plugin Deactivation
The plugin does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin and therefore the protection offered via a crafted request v 3.6 - https:/example.com/wp-content/plugins/protect-wp-admin/lib/pwa-deactivate.php?disablepwa...
Protect WP Admin < 3.6.2 - Unauthenticated Plugin Deactivation
The plugin does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin and therefore the protection offered via a crafted request PoC v 3.6 -...
CVE-2021-36917
WordPress Hide My WP plugin versions = 6.2.3 can be deactivated by any unauthenticated user. It is possible to retrieve a reset token which can then be used to deactivate the plugin...
CVE-2021-36917
WordPress Hide My WP plugin versions = 6.2.3 can be deactivated by any unauthenticated user. It is possible to retrieve a reset token which can then be used to deactivate the plugin...
PT-2021-21405 · WordPress · Hide My Wp
Name of the Vulnerable Software and Affected Versions: WordPress Hide My WP plugin versions = 6.2.3 Description: The issue allows any unauthenticated user to deactivate the plugin. It is possible to retrieve a reset token, which can then be used to deactivate the plugin. Recommendations: For...
CVE-2021-24636 Print My Blog < 3.4.2 - Plugin Deactivation via CSRF
The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce CSRF checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link...
Print My Blog < 3.4.2 - Plugin Deactivation via CSRF
The plugin does not enforce nonce CSRF checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link PoC...
Subrion Cross-Site Request Forgery Vulnerability
Subrion is a powerful and easy-to-use PHP content management system CMS with full source editing, per-page permissions, user activity monitoring and other powerful features. A cross-site request forgery vulnerability exists in panel/modules/plugins/ in Subrion 4.2.1. An attacker can exploit this...
WordPress CMP – Coming Soon & Maintenance plugin <= 3.8.1 - Unauthenticated Plugin Deactivation vulnerability
Unauthenticated Plugin Deactivation vulnerability discovered by NinTechNet in WordPress CMP – Coming Soon & Maintenance plugin versions = 3.8.1. Solution Update the WordPress CMP – Coming Soon & Maintenance plugin to the latest available version at least 3.8.2...
CMP - Coming Soon & Maintenance < 3.8.2 - Improper Access Controls on AJAX Calls
Some of the AJAX calls from the plugin do not properly check for capabilities and CSRF tokens, leading to issues such as arbitrary post read, subscribers list export and plugin deactivation...
WordPress Images Slideshow by 2J plugin <= 1.3.31 - Authenticated Arbitrary Plugin Deactivation vulnerability
Authenticated Arbitrary Plugin Deactivation vulnerability discovered by NinTechNet in WordPress Images Slideshow by 2J plugin versions = 1.3.31. Solution Update the WordPress Images Slideshow by 2J plugin to the latest available version at least 1.3.33...
2J SlideShow < 1.3.40 - Authenticated Arbitrary Plugin Deactivation
Description Lack of authorisation checks in the twojslideshowsetup function registered as an AJAX call could allow authenticated users with low privileges to deactivate arbitrary plugins...
WordPress Photo Gallery – Image Gallery by Ape plugin <= 2.0.6 - Authenticated Arbitrary plugin deactivation
Authenticated Arbitrary plugin deactivation found by Jerome Bruandet in WordPress Photo Gallery – Image Gallery by Ape plugin versions = 2.0.6. Solution Update the WordPress Photo Gallery – Image Gallery by Ape plugin to the latest available version at least 2.0.7...
WordPress < 3.3.2 Multiple Vulnerabilities
Binary data 9101.prm...
CVE-2012-2402
wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors...