CVE-2020-36729

The 2J-SlideShow Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'twojslideshowsetup' function called via the wpajaxtwojslideshowsetup AJAX action in versions up to, and including, 1.3.31. This makes it possible for authenticated attackers...

CVE-2024-13423

The Sparkling theme for WordPress is vulnerable to unauthorized plugin activation/deactivation due to a missing capability check on the 'sparklingactivateplugin' and 'sparklingdeactivateplugin' functions in versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers...

CVE-2024-13423 Sparkling <= 2.4.9 - Missing Authorization to Unauthenticated Arbitrary Plugin Activation/Deactivation

The Sparkling theme for WordPress is vulnerable to unauthorized plugin activation/deactivation due to a missing capability check on the 'sparklingactivateplugin' and 'sparklingdeactivateplugin' functions in versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers...

CVE-2019-25149

The Gallery Images Ape plugin for WordPress is vulnerable to Arbitrary Plugin Deactivation in versions up to, and including, 2.0.6. This allows authenticated attackers with any capability level to deactivate any plugin on the site, including plugins necessary to site functionality or security...

CVE-2020-36730

The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmpgetpostdetail, niteoexportcsv, and cmpdisablecomingsoonajax functions in versions up to, and including, 3.8.1. This makes it possible for unauthenticated attackers to read posts, export...

CVE-2024-1217

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the awaitplugindeactivation function in all versions up to, and including, 2.3.41. This makes it possible for...

CVE-2024-12006 W3 Total Cache <= 2.8.1 Missing Authorization to Unauthenticated Plugin Deactivation and Extensions Activation/Deactivation

The W3 Total Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to deactivate the plugin as well as activate and...

CVE-2024-12006 W3 Total Cache <= 2.8.1 Missing Authorization to Unauthenticated Plugin Deactivation and Extensions Activation/Deactivation

The W3 Total Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to deactivate the plugin as well as activate and...

WordPress W3 Total Cache plugin <= 2.8.1 Missing Authorization to Unauthenticated Plugin Deactivation and Extensions Activation/Deactivation vulnerability

WordPress W3 Total Cache plugin = 2.8.1 Missing Authorization to Unauthenticated Plugin Deactivation and Extensions Activation/Deactivation vulnerability discovered by villu164 in WordPress Plugin W3 Total Cache versions = 2.8.1...

WordPress Gaga Lite theme <= 1.4.2 - Authenticated Arbitrary Plugin Activation/Deactivation to RCE vulnerability

Authenticated Arbitrary Plugin Activation/Deactivation to RCE vulnerability discovered by Mika Patchstack Alliance in WordPress Theme Gaga Lite versions = 1.4.2...

UBUNTU-CVE-2024-51485

Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating plugins. This vulnerability allows an attacker to exploit CSRF attacks, potentially enabling them to change...

CVE-2024-51485 Insufficient Validation in Plugins (Activation/Deactivation) in Ampache

Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating plugins. This vulnerability allows an attacker to exploit CSRF attacks, potentially enabling them to change...

PT-2024-34649 · Ampache · Ampache

Name of the Vulnerable Software and Affected Versions: Ampache versions prior to 7.0.1 Description: Ampache is a web-based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating plugins...

CVE-2024-9891 Multiline files upload for contact form 7 <= 2.8.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation

The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7zlcustomhandledeactivationpluginformsubmission function in all versions up to, and including, 2.8.1. This makes it possible for...

WordPress Multiline files upload for contact form 7 plugin <= 2.8.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation vulnerability

Missing Authorization to Authenticated Subscriber+ Plugin Deactivation vulnerability discovered by Tieu Pham Trong Nhan in WordPress Plugin Multiline files upload for contact form 7 versions = 2.8.1...

CVE-2024-7032

CVE-2024-7032 affects the WordPress plugin Smart Online Order for Clover . The vulnerability is a missing authorization check in the function moo_deactivateAndClean , present in all versions up to and including 1.5.6, which could allow unauthenticated attackers to deactivate the plugin and drop a...

WordPress Pie Register plugin <= 3.8.3.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary plugin Installation and Activation/Deactivation vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary plugin Installation and Activation/Deactivation vulnerability discovered by Lucio Sá in WordPress Plugin Pie Register versions = 3.8.3.4...

CVE-2024-0702

The Oliver POS – A WooCommerce Point of Sale POS plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions hooked via AJAX in the includes/class-pos-bridge-install.php file in all versions up to, and including, 2.4.1.8. This makes it possible...

CVE-2024-1217

CVE-2024-1217 affects the Kali Forms WordPress plugin (Contact Form builder with drag & drop). The vulnerability arises from a missing capability check in the await_plugin_deactivation function across versions up to 2.3.41, allowing authenticated users with subscriber access or higher to deactiva...

CVE-2024-1217 Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.3.41 - Missing Authorization to Arbitrary Plugin Deactivation

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the awaitplugindeactivation function in all versions up to, and including, 2.3.41. This makes it possible for...