Responsive Menu < 4.1.8 - Subscriber+ Arbitrary File Upload / Theme Deletion / Plugin Settings Update

The plugin is missing authorisation on multiple of its AJAX actions such as savemenuglobalsettings, and relying on CSRF nonces which are disclosed to any authenticated users. As a result, it could allow them to call the affected actions and lead to arbitrary file upload, theme deletion as well as...

CVE-2022-23983

Cross-Site Request Forgery CSRF vulnerability leading to plugin Settings Update discovered in WP Content Copy Protection & No Right Click WordPress plugin versions = 3.4.4...

WordPress Ibtana plugin <= 1.1.4.8 - Plugin Settings Update vulnerability leading to Stored Cross-Site Scripting (XSS)

Plugin Settings Update vulnerability leading to Stored Cross-Site Scripting XSS discovered by Krzysztof Zając in WordPress Ibtana plugin versions = 1.1.4.8. Solution Update the WordPress Ibtana plugin to the latest available version at least 1.1.4.9...

WordPress Single Post Exporter plugin <= 1.1.1 - Cross-Site Request Forgery (CSRF) vulnerability leading to Plugin Settings Update

Cross-Site Request Forgery CSRF vulnerability leading to Plugin Settings Update discovered by Francesco Carlucci in WordPress Single Post Exporter plugin versions = 1.1.1. Solution Deactivate and delete. This plugin has been closed as of September 23, 2021 and is not available for download. This...

WordPress WP Admin Logo Changer plugin <= 1.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Plugin Settings Update

Cross-Site Request Forgery CSRF vulnerability leading to Plugin Settings Update discovered by apple502j in WordPress WP Admin Logo Changer plugin versions = 1.0. Solution Deactivate and delete. This plugin has been closed as of October 4, 2021 and is not available for download. This closure is...

BuddyPress Customer.io Analytics Integration <= 1.1.6 - Arbitrary Plugin Settings Update via CSRF

The plugin does not properly perform the CSRF check when saving its settings, allowing attackers to make logged in admin change them to arbitrary values PoC...

WP Prayer < 1.6.7 - Arbitrary Plugin Settings Update via CSRF

The plugin did not properly check for CSRF in some of its module functions, allowing attacker to make logged in admin change all plugin's settings including the email settings for example. v1.6.6 fixed most of CSRF checks, but the one in model.emailsettings.php was improperly fixed bypass still...

WordPress Ship To eCourier plugin <= 1.0.1 - Cross-Site Request Forgery (CSRF) vulnerability allowing Plugin Settings Update

Cross-Site Request Forgery CSRF vulnerability allowing Plugin Settings Update discovered by WPScan Team in WordPress Ship To eCourier plugin versions = 1.0.1. Solution Update the WordPress Ship To eCourier plugin to the latest available version at least 1.0.2...

WordPress Advanced AJAX Product Filters plugin <= 1.3.6.1 - Unauthenticated Plugin Settings Update vulnerability

Unauthenticated Plugin Settings Update vulnerability found in WordPress Advanced AJAX Product Filters plugin versions = 1.3.6.1. Solution Update the WordPress Advanced AJAX Product Filters plugin to the latest available version at least 1.3.7...

Advanced AJAX Product Filters < 1.3.7 - Unauthenticated Plugin Settings Update

The Advanced AJAX Product Filters WordPress plugin was affected by an Unauthenticated Plugin Settings Update security vulnerability...