WordPress Sirv plugin <= 7.2.7 - Authenticated (Subscriber+) Missing Authorization to Plugin Settings Update vulnerability

Authenticated Subscriber+ Missing Authorization to Plugin Settings Update vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Sirv versions = 7.2.7...

CVE-2024-5648

The LearnDash LMS – Reports plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions i.e. wrldsetconfiguration, wrldexcludesettingssave, applytimetrackingsettings, wpajaxwrldgutenbergblockvisit, etc.. in all versions up to, and...

CVE-2024-5648 LearnDash LMS - Reports Free <= 1.8.2 - Missing Authorization to Plugin Settings Update

The LearnDash LMS – Reports plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

WordPress EventON plugin <= 2.2.15 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates vulnerability

Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates vulnerability discovered by Lucio Sá in WordPress Plugin EventON versions = 2.2.15...

CVE-2024-6180 EventON <= 2.2.15 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates

The EventON plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eventonimportsettings' ajax action in all versions up to, and including, 2.2.15. This makes it possible for unauthenticated attackers to update plugin settings, including...

PT-2024-36419 · WordPress · Easy Pixels

Name of the Vulnerable Software and Affected Versions: Easy Pixels plugin for WordPress versions up to, and including, 2.13 Description: The issue is related to Stored Cross-Site Scripting via plugin settings due to insufficient input sanitization and output escaping. This allows unauthenticated...

CVE-2024-5641

The One Click Order Re-Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cedocorsavegeneralsetting' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2024-3593 UberMenu <= 3.8.3 - Cross-Site Request Forgery to Settings Reset

The UberMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the ubermenudeleteallitemsettings and ubermenuresetsettings functions. This makes it possible for unauthenticated...

CVE-2024-1955 Hide Dashboard Notifications <= 1.3 - Missing Authorization to Authenticated(Contributor+) Plugin Settings Modification

The Hide Dashboard Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'warningnoticessettings' function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with contributor acces...

CVE-2024-3602 Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer <= 1.1.0 - Missing Authorization

The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnectpromolayer function in all versions up to, and including, 1.1.0. This...

PT-2024-29421 · WordPress · The Floating Chat Widget

Name of the Vulnerable Software and Affected Versions: The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin versions prior to 3.2.3 Description: The issue allows high privilege users, such as admins, to perform...

CVE-2023-51671 WordPress FunnelKit Checkout plugin <= 3.10.3 - Authenticated Plugin Settings Change vulnerability

Missing Authorization vulnerability in FunnelKit FunnelKit Checkout.This issue affects FunnelKit Checkout: from n/a through 3.10.3...

CVE-2024-4468

The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admininit in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber...

CVE-2024-4468 Salon booking system <= 9.9 - Missing Authorization

The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admininit in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber...

CVE-2024-5770

The WP Force SSL & HTTPS SSL Redirect plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajaxsavesetting' function in versions up to, and including, 1.66. This makes it possible for authenticated attackers, subscriber-level permission...

CVE-2023-6966

The Moneytizer WordPress plugin (The Moneytizer) is vulnerable in versions up to 9.5.20 due to a missing capability check in core_ajax.php across multiple AJAX functions. This allows authenticated users with subscriber privileges and higher to view/update billing and bank details, adjust plugin s...

The Moneytizer <= 9.5.20 - Missing Authorization via multiple AJAX actions

Description The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/coreajax.php file in all versions up to, and including, 9.5.20. This makes it possible...

CVE-2024-4427

The Comparison Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.5. This makes it possible for authenticated attackers, with subscriber access or above, to change plugi...

CVE-2024-4427

CVE-2024-4427 concerns the WordPress plugin Comparison Slider . The vulnerability exists in all versions up to and including 1.0.5 due to a missing capability check on several AJAX actions . This can allow authenticated attackers with subscriber access or higher to modify data, including plugin s...

CVE-2024-3947

The WP To Do plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.0. This is due to missing or incorrect nonce validation on the wptodosettings function. This makes it possible for unauthenticated attackers to modify the plugin's settings via ...