Authorization

The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the savelocsettings function in versions up to, and including, 1.8.1. This makes it possible for unauthenticated attackers to change the settings of the plugin...

CVE-2020-36731 Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauthenticated Arbitrary Plugin Settings Update

The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction function...

CVE-2021-4352 JobSearch WP Job Board <= 1.8.1 - Missing Authorization to Settings Change

The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the savelocsettings function in versions up to, and including, 1.8.1. This makes it possible for unauthenticated attackers to change the settings of the plugin...

CVE-2020-36699 Quick Page/Post Redirect Plugin <= 5.1.9 - Redirect Security Bypass

The Quick Page/Post Redirect Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the qpprsavequickredirectajax and qpprdeletequickredirect functions in versions up to, and including, 5.1.9. This makes it possible for low-privileged attackers to interact...

PT-2023-12440 · Woocommerce +1 · Improved Product Options For Woocommerce +15

Name of the Vulnerable Software and Affected Versions: Product Filter for WooCommerce versions prior to 8.2.0 Improved Product Options for WooCommerce versions prior to 5.3.0 Improved Sale Badges for WooCommerce versions prior to 4.4.0 Share, Print and PDF Products for WooCommerce versions prior ...

KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls

The plugin does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings PoC Run one of the below commands i...

Cross site request forgery (csrf)

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.2. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify the plugin's settin...

Design/Logic Flaw

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.2.10 due to a missing capability check on the processAction...

CVE-2023-2405 CRM and Lead Management by vcita <= 2.7.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.0. This is due to missing nonce validation in the vcita-callback.php file. This makes it possible for unauthenticated attackers to modify the plugin's settin...

CVE-2023-0583

The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST 'updatevkblocksoptions' function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change plugin settings including default icons...

CVE-2023-0583

The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST 'updatevkblocksoptions' function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change plugin settings including default icons...

CVE-2023-0583 VK Blocks <= 1.57.0.5 - Authenticated(Contributor+) Settings Update

The VK Blocks plugin for WordPress is vulnerable to improper authorization via the REST 'updatevkblocksoptions' function in versions up to, and including, 1.57.0.5. This allows authenticated attackers, with contributor-level permissions or above, to change plugin settings including default icons...

CVE-2023-0583

The CVE-2023-0583 entry concerns the VK Blocks plugin for WordPress. Affected component: REST endpoint for updating settings (update_vk_blocks_options). Root cause: improper authorization enabling attackers with contributor-level permissions or higher to change plugin settings, including default ...

PT-2023-16382 · WordPress · Vk Blocks

Name of the Vulnerable Software and Affected Versions: VK Blocks plugin for WordPress versions up to, and including, 1.57.0.5 Description: The issue concerns improper authorization via the REST update vk blocks options function. This allows authenticated attackers with contributor-level permissio...

VK Blocks < 1.57.1.0 - Contributor+ Settings Update via REST API

The plugin uses improper authorization for the REST API vk-blocks/v1/updatevkblocksoptions, allowing users with a role as low as contributor to change plugin settings including default icons...

CVE-2023-2434

The Nested Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'reset' function in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with editor-level permissions and above, to reset plugin settings...

Design/Logic Flaw

The Nested Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'reset' function in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with editor-level permissions and above, to reset plugin settings...

Authorization

The Wordapp plugin for WordPress is vulnerable to authorization bypass due to an use of insufficiently unique cryptographic signature on the 'wapdxopconfigset' function in versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to the plugin to change the...

CVE-2023-2470 Add to Feedly <= 1.2.11 - Admin+ Stored XSS

The Add to Feedly WordPress plugin through 1.2.11 does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

AI ChatBot < 4.5.5 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed. 1. Go to plugin settings under "WPBot Lite Simple Text Responses" 2. Enter the payload Test Query"...