121 matches found
PT-2023-15134 · WordPress · Royal Elementor Addons
Name of the Vulnerable Software and Affected Versions: The Royal Elementor Addons plugin for WordPress versions up to, and including, 1.3.59 Description: The issue is related to insufficient access control in the 'wpr fix royal compatibility' AJAX action. This allows any authenticated user,...
Royal Elementor Addons < 1.3.60 - Subscriber+ Arbitrary Plugin Deactivation
The plugin does not have authorisation and CSRF checks when deactivating plugins, which could allow any authenticated user, such as subscriber to perform such action...
CVE-2022-4555
The WP Shamsi plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the deactivate function hooked via init in versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to deactivate arbitrary plugins on the site. This can...
WP Shamsi < 4.1.1 - Unauthenticated Arbitrary Plugin Deactivation
The plugin does not have authorisation check when activating plugins via an action hooked to init, which could allow unauthenticated attackers to deactivate arbitrary plugins from the blog...
CVE-2022-3538 Webmaster Tools Verification <= 1.2 - Unauthenticated Arbitrary Plugin Deactivation
The Webmaster Tools Verification WordPress plugin through 1.2 does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins...
CVE-2022-3538 Webmaster Tools Verification <= 1.2 - Unauthenticated Arbitrary Plugin Deactivation
The Webmaster Tools Verification WordPress plugin through 1.2 does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins...
Webmaster Tools Verification <= 1.2 - Unauthenticated Arbitrary Plugin Deactivation
The plugin does not have authorisation and CSRF checks when disabling plugins, allowing unauthenticated users to disable arbitrary plugins curl -X POST --data "wmtvuninstall=1&wmtvuninstallconfirm=1&plugin=akismet/akismet.php" https://example.com...
Cross-site Scripting (XSS)
Overview johnpbloch/wordpress-core is a web software you can use to create a website or blog. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the error handling mechanism during plugin deactivation or deletion. An attacker can inject malicious scripts by...
CVE-2022-1656
Vulnerable versions of the JupiterX Theme =2.0.6 allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterxapiajax actions registered by the JupiterX Core Plugin =2.0.6. This includes the...
CVE-2022-1656
CVE-2022-1656 affects JupiterX Theme and JupiterX Core Plugin (versions
CVE-2022-1656 JupiterX Theme <= 2.0.6 and JupiterX Core <= 2.0.6 - Authenticated Arbitrary Plugin Deactivation and Settings Modification
Vulnerable versions of the JupiterX Theme =2.0.6 allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterxapiajax actions registered by the JupiterX Core Plugin =2.0.6. This includes the...
CVE-2022-1656 JupiterX Theme <= 2.0.6 and JupiterX Core <= 2.0.6 - Authenticated Arbitrary Plugin Deactivation and Settings Modification
Vulnerable versions of the JupiterX Theme =2.0.6 allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterxapiajax actions registered by the JupiterX Core Plugin =2.0.6. This includes the...
PT-2022-14027 · Unknown · Jupiter Theme +1
Name of the Vulnerable Software and Affected Versions: JupiterX Theme versions =2.0.6 JupiterX Core Plugin versions =2.0.6 Description: The issue allows any logged-in user to access functions registered in "lib/api/api/ajax.php", including jupiterx api ajax actions. This grants the ability to...
WordPress JupiterX premium theme <= 2.0.6 - Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification
Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification discovered by Ramuel Gall Wordfence in WordPress JupiterX premium theme versions = 2.0.6. Solution Update the WordPress JupiterX premium theme to the latest available version at least 2.0....
WordPress Uncode Lite theme <= 1.3.3 - Authenticated Arbitrary Plugin Activation/Deactivation vulnerability
Authenticated Arbitrary Plugin Activation/Deactivation vulnerability discovered by Ex.Mi Patchstack in WordPress Uncode Lite theme versions = 1.3.3. Solution Deactivate and delete. The vendor ignores the vulnerability reports, avoids any conversation...
WordPress AccessPress Store theme <= 2.4.9 - Authenticated Arbitrary Plugin Activation/Deactivation vulnerability
Authenticated Arbitrary Plugin Activation/Deactivation vulnerability discovered by Ex.Mi Patchstack in WordPress AccessPress Store theme versions = 2.4.9. Solution Deactivate and delete. The vendor ignores the vulnerability reports, avoids any conversation...
WordPress The100 theme <= 1.1.2 - Authenticated Arbitrary Plugin Activation/Deactivation vulnerability
Authenticated Arbitrary Plugin Activation/Deactivation vulnerability discovered by Ex.Mi Patchstack in WordPress The100 theme versions = 1.1.2. Solution Deactivate and delete. The vendor ignores the vulnerability reports, avoids any conversation...
WordPress Eightmedi Lite theme <= 2.1.8 - Authenticated Arbitrary Plugin Activation/Deactivation vulnerability
Authenticated Arbitrary Plugin Activation/Deactivation vulnerability discovered by Ex.Mi Patchstack in WordPress Eightmedi Lite theme versions = 2.1.8. Solution Deactivate and delete. The vendor ignores the vulnerability reports, avoids any conversation...
WordPress Zigcy Baby theme <= 1.0.6 - Authenticated Arbitrary Plugin Activation/Deactivation vulnerability
Authenticated Arbitrary Plugin Activation/Deactivation vulnerability discovered by Ex.Mi Patchstack in WordPress Zigcy Baby theme versions = 1.0.6. Solution Deactivate and delete. The vendor ignores the vulnerability reports, avoids any conversation...
WordPress WPparallax theme <= 2.0.6 - Authenticated Arbitrary Plugin Activation/Deactivation vulnerability
Authenticated Arbitrary Plugin Activation/Deactivation vulnerability discovered by Ex.Mi Patchstack in WordPress WPparallax theme versions = 2.0.6. Solution Deactivate and delete. The vendor ignores the vulnerability reports, avoids any conversation...