CVE-2024-1809

The Analytify – Google Analytics Dashboard For WordPress GA4 analytics made easy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on AJAX functions in combination with nonce leakage in all versions up to, and including, 5.2.3. This makes it...

CVE-2024-1677 Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce <= 3.4.6 - Improper Authorization

The Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to an improper capability check on 42 separate AJAX functions in all versions up to, and...

IDonate <= 1.9.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Navigate to...

Survey Maker < 4.2.9 - Admin+ Stored XSS via Plugin Settings

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Add New Survey 2. Choose any...

Survey Maker < 4.2.9 - Admin+ Stored XSS via Plugin Settings

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add New Survey 2. Choose any...

PT-2024-20719 · WordPress · Gamipress

Name of the Vulnerable Software and Affected Versions: GamiPress WordPress plugin versions prior to 6.8.9 Description: The access control mechanism in the GamiPress WordPress plugin fails to properly restrict access to its settings. This allows Authors to manipulate requests and extend access to...

CVE-2024-32951 WordPress Max Addons Pro for Bricks plugin <= 1.6.1 - Unauthenticated Plugin Settings Reset vulnerability

Missing Authorization vulnerability in BloomPixel Max Addons Pro for Bricks.This issue affects Max Addons Pro for Bricks: from n/a through 1.6.1...

WordPress Hosting Benchmark tool < 1.3.7 - Cross-Site Request Forgery via execute_plugin()

Description The WordPress Hosting Benchmark tool plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.6. This is due to missing or incorrect nonce validation on the executeplugin function. This makes it possible for unauthenticated attackers to...

PT-2024-18837 · WordPress · Social Media Share Buttons & Social Sharing Icons

Name of the Vulnerable Software and Affected Versions: Social Media Share Buttons & Social Sharing Icons WordPress plugin versions prior to 2.8.9 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html...

Benchmark Email Lite < 4.2 - Cross-Site Request Forgery via page_settings()

Description The Benchmark Email Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.1. This is due to missing or incorrect nonce validation on the pagesettings function. This makes it possible for unauthenticated attackers to update the plugin...

WOOCS – WooCommerce Currency Switcher < 1.4.1.8 - Cross-Site Request Forgery

Description The WOOCS – WooCommerce Currency Switcher plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.1.7. This is due to missing or incorrect nonce validation on the saveetalon function.. This makes it possible for unauthenticated attackers ...

WordPress News Wall plugin <= 1.1.0 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by Benedictus Jovan in WordPress Plugin News Wall versions = 1.1.0...

CVE-2024-2086 Integrate Google Drive <= 1.3.8 - Missing Authorization to Unauthenticated Settings Modification and Export

The Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple...

CVE-2024-2969

The WP-Eggdrop plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the wpeggupdateOptions function. This makes it possible for unauthenticated attackers to update the plugin's settings...

CVE-2024-2970

The CVE CVE-2024-2970 affects the News Wall WordPress plugin (all versions up to 1.1.0). It is a Cross-Site Request Forgery vulnerability caused by missing or incorrect nonce validation in the nwap_newslist_page() function. This enables unauthenticated attackers to update the plugin’s settings an...

News Wall <= 1.1.0 - Cross-Site Request Forgery to Plugin Settings Update

Description The News Wall plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the nwapnewslistpage function. This makes it possible for unauthenticated attackers to update the plugin'...

PT-2024-22963 · WordPress · Wp-Eggdrop

Name of the Vulnerable Software and Affected Versions: WP-Eggdrop plugin for WordPress versions up to, and including, 0.1 Description: The issue is related to a Cross-Site Request Forgery vulnerability due to missing or incorrect nonce validation in the wpegg updateOptions function. This allows...

CVE-2024-22156 WordPress SalesKing plugin <= 1.6.15 - Unauthenticated Plugin Settings Change vulnerability

Missing Authorization vulnerability in SNP Digital SalesKing.This issue affects SalesKing: from n/a through 1.6.15...

CVE-2024-2326 Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin <= 3.6.3 - Cross-Site Request Forgery to Plugin Settings Update

The Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.3. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possibl...

Tracking Code Manager < 2.1.0 -Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...