PT-2024-17468 · WordPress · Kali Forms

Name of the Vulnerable Software and Affected Versions: Kali Forms plugin for WordPress versions up to, and including, 2.3.41 Description: The issue arises from a missing capability check on the await plugin deactivation function, allowing authenticated attackers with subscriber access or higher t...

Contact Form builder with drag & drop for WordPress – Kali Forms < 2.3.42 - Missing Authorization to Arbitrary Plugin Deactivation

Description The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the awaitplugindeactivation function in all versions up to, and including, 2.3.41. This makes it possible fo...

GiveWP < 2.33.4 - Cross-Site Request Forgery to plugin deactivation

Description The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the givesendwpdisconnect function. This makes it possible for unauthenticated attackers to deactivate the SendW...

CVE-2023-3956 InstaWP Connect <= 0.0.9.18 - Missing Authorization to Unauthenticated Post/Taxonomy/User Add/Change/Delete, Customizer Setting Change, Plugin Installation/Activation/Deactication via events_receiver

The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'eventsreceiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add,...

CVE-2020-36721

The Brilliance = 1.2.7, Activello = 1.4.0, and Newspaper X = 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activelloactivateplugin' and 'activellodeactivateplugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing...

CVE-2020-36729

The 2J-SlideShow Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'twojslideshowsetup' function called via the wpajaxtwojslideshowsetup AJAX action in versions up to, and including, 1.3.31. This makes it possible for authenticated attackers...

CVE-2019-25149

The Gallery Images Ape plugin for WordPress is vulnerable to Arbitrary Plugin Deactivation in versions up to, and including, 2.0.6. This allows authenticated attackers with any capability level to deactivate any plugin on the site, including plugins necessary to site functionality or security...

CVE-2019-25149

The Gallery Images Ape plugin for WordPress is vulnerable to Arbitrary Plugin Deactivation in versions up to, and including, 2.0.6. This allows authenticated attackers with any capability level to deactivate any plugin on the site, including plugins necessary to site functionality or security...

Authorization

The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmpgetpostdetail, niteoexportcsv, and cmpdisablecomingsoonajax functions in versions up to, and including, 3.8.1. This makes it possible for unauthenticated attackers to read posts, export...

Authorization

The 2J-SlideShow Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'twojslideshowsetup' function called via the wpajaxtwojslideshowsetup AJAX action in versions up to, and including, 1.3.31. This makes it possible for authenticated attackers...

CVE-2020-36730 CMP <= 3.8.1 - Missing Authorization

The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmpgetpostdetail, niteoexportcsv, and cmpdisablecomingsoonajax functions in versions up to, and including, 3.8.1. This makes it possible for unauthenticated attackers to read posts, export...

CVE-2020-36729 Slideshow, Image Slider by 2J <= 1.3.31 - Authorization Bypass

The 2J-SlideShow Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'twojslideshowsetup' function called via the wpajaxtwojslideshowsetup AJAX action in versions up to, and including, 1.3.31. This makes it possible for authenticated attackers...

CVE-2019-25149

CVE-2019-25149 affects the Gallery Images Ape plugin for WordPress. Affected: WordPress plugin Gallery Images Ape, vulnerable in versions up to and including 2.0.6. Root cause: authenticated users with any capability can deactivate any plugin on the site, potentially disabling critical functional...

CVE-2019-25149 Gallery Images Ape <= 2.0.6 - Authenticated Plugin Deactivation

The Gallery Images Ape plugin for WordPress is vulnerable to Arbitrary Plugin Deactivation in versions up to, and including, 2.0.6. This allows authenticated attackers with any capability level to deactivate any plugin on the site, including plugins necessary to site functionality or security...

CVE-2019-25149 Gallery Images Ape <= 2.0.6 - Authenticated Plugin Deactivation

The Gallery Images Ape plugin for WordPress is vulnerable to Arbitrary Plugin Deactivation in versions up to, and including, 2.0.6. This allows authenticated attackers with any capability level to deactivate any plugin on the site, including plugins necessary to site functionality or security...

CVE-2020-36721 Epsilon Framework Themes (Various Versions) - Unauthenticated Plugin Activation/Deactivation

The Brilliance = 1.2.7, Activello = 1.4.0, and Newspaper X = 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activelloactivateplugin' and 'activellodeactivateplugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing...

CVE-2020-36721

CVE-2020-36721 affects WordPress themes Brilliance &lt;= 1.2.7, Activello &lt;= 1.4.0, and Newspaper X

WordPress Plugin Gallery Images Ape 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. WordPress Plugin Gallery Images Ape...

CVE-2022-4702

The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprfixroyalcompatibility' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to deactivate every plugin on...

Eleven Vulnerabilities Patched in Royal Elementor Addons

On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full...