837 matches found
Page Restrict <= 2.5.5 - Cross-Site Request Forgery via pr_admin_page
Description The Page Restrict plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.5. This is due to missing or incorrect nonce validation on the 'pradminpage' function. This makes it possible for unauthenticated attackers to modify the plugin...
Mang Board WP < 1.7.8 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Advanced Page Visit Counter <= 8.0.6 - Admin+ Stored XSS
Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Visit the "Settings" interface...
SalesKing < 1.6.30 - Missing Authorization to Settings Change
Description The SalesKing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in all versions up to, and including, 1.6.15. This makes it possible for unauthenticated attackers to modify plugin settings...
Restaurant & Cafe Addon for Elementor < 1.5.3 - Missing Authorization
Description The plugin is vulnerable to unauthorized modification of data due to missing capability checks on the rcafebwsettingssavefunc, rctlbwtogglesubmitfunc, rcafeuwsettingssavefunc, and rctluwtogglesubmitfunc functions all hooked via nopriv AJAX actions in all versions up to, and including,...
CVE-2023-6751
The Hostinger plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the function publishwebsite in all versions up to, and including, 1.9.7. This makes it possible for unauthenticated attackers to enable and disable maintenance mode...
CVE-2023-6637
The CAOS | Host Google Analytics Locally plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updatesettings' function in versions up to, and including, 4.7.14. This makes it possible for unauthenticated attackers to update plugin...
Authorization
The Manage Notification E-mails plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.8.5 via the cardfamneexportsettings function. This makes it possible for unauthenticated attackers to obtain plugin settings...
Design/Logic Flaw
The GTG Product Feed for Shopping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updatesettings' function in versions up to, and including, 1.2.4. This makes it possible for unauthenticated attackers to update plugin settings...
CVE-2023-6751 Hostinger <= 1.9.7 - Missing Authorization to Maintenance Mode Activation
The Hostinger plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the function publishwebsite in all versions up to, and including, 1.9.7. This makes it possible for unauthenticated attackers to enable and disable maintenance mode...
CVE-2023-4248 GiveWP <= 2.33.3 - Cross-Site Request Forgery to Stripe Integration Deletion
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the givestripedisconnectconnectstripeaccount function. This makes it possible for unauthenticated attackers to deactivate t...
CVE-2023-6496 Manage Notification E-mails <= 1.8.5 - Missing Authorization
The Manage Notification E-mails plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.8.5 via the cardfamneexportsettings function. This makes it possible for unauthenticated attackers to obtain plugin settings...
PT-2024-14974 · WordPress · Manage Notification E-Mails Plugin
Name of the Vulnerable Software and Affected Versions: Manage Notification E-mails plugin for WordPress versions up to, and including, 1.8.5 Description: The issue concerns Missing Authorization, allowing unauthenticated attackers to obtain plugin settings via the card famne export settings...
Cross site request forgery (csrf)
The Depicter Slider – Responsive Image Slider, Video Slider & Post Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.6. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for...
Thrive Automator < 1.17.1 - Cross-Site Request Forgery
Description The Thrive Automator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.17. This is due to missing or incorrect nonce validation on the factoryreset function. This makes it possible for unauthenticated attackers to reset plugin setting...
LA-Studio Element Kit for Elementor < 1.1.6 - Missing Authorization
Description The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a REST-API endpoint in versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to update the plugin's...
CVE-2024-0201 Product Expiry for WooCommerce <= 2.5 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'savesettings' function in versions up to, and including, 2.5. This makes it possible for authenticated attackers, with subscriber-level permissions ...
CVE-2023-6984
The PowerPack Addons for Elementor Free Widgets, Extensions and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.13. This is due to missing or incorrect nonce validation in the...
Cross site request forgery (csrf)
The PowerPack Addons for Elementor Free Widgets, Extensions and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.13. This is due to missing or incorrect nonce validation in the...
CVE-2023-6984 PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) <= 2.7.13 - Cross-Site Request Forgery
The PowerPack Addons for Elementor Free Widgets, Extensions and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.13. This is due to missing or incorrect nonce validation in the...