CVE-2022-4021 Permalink Manager Lite <= 2.2.20.1 - Cross-Site Request Forgery

The Permalink Manager Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.2.20.1. This is due to missing or incorrect nonce validation on the extraactions function. This makes it possible for unauthenticated attackers to change plugin settings...

Image Hover Effects < 5.5 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. Go to the plugin settings Image Hover Effects Ima...

WordPress plugin Follow Me Plugin 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. WordPress plugin Follow Me Plugin 3.1.1 and...

WordPress plugin OAuth Client by DigitialPixies 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blog sites on PHP and MySQL servers. A cross-site scripting vulnerability exists in the...

CVE-2022-43491

Cross-Site Request Forgery CSRF vulnerability in Advanced Dynamic Pricing for WooCommerce plugin = 4.1.5 on WordPress leading to plugin settings import...

CVE-2022-40223

Nonce token leakage and missing authorization in SearchWP premium plugin = 4.2.5 on WordPress leading to plugin settings change...

CVE-2022-40223

Nonce token leakage and missing authorization in SearchWP premium plugin = 4.2.5 on WordPress leading to plugin settings change...

CVE-2022-32587

Cross-Site Request Forgery CSRF vulnerability in CodeAndMore WP Page Widget plugin = 3.9 on WordPress leading to plugin settings change...

CVE-2022-27855

Cross-Site Request Forgery CSRF vulnerability in Fatcat Apps Analytics Cat plugin = 1.0.9 on WordPress allows Plugin Settings Change...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in CodeAndMore WP Page Widget plugin = 3.9 on WordPress leading to plugin settings change...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Fatcat Apps Analytics Cat plugin = 1.0.9 on WordPress allows Plugin Settings Change...

CVE-2022-32587 WordPress WP Page Widget plugin <= 3.9 - Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in CodeAndMore WP Page Widget plugin = 3.9 on WordPress leading to plugin settings change...

CVE-2022-40223 WordPress SearchWP premium plugin <= 4.2.5 - Broken Authentication vulnerability

Nonce token leakage and missing authorization in SearchWP premium plugin = 4.2.5 on WordPress leading to plugin settings change...

WordPress plugin Highlight Focus 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blogs on PHP and MySQL servers. A cross-site scripting vulnerability exists in the...

CVE-2022-3852

The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.3. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to delete, and modify calendars as well as the...

Authorization

The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to authorization bypass via several AJAX actions in versions up to, and including 2.3.0 due to missing capability checks and missing nonce validation. This makes it possible for authenticated attacke...

WordPress VR Calendar plugin <= 2.3.3 – Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability leading to deletion and modification of calendars as well as the plugin settings discovered by Marco Wotschka in the WordPress VR Calendar plugin versions = 2.3.3. Solution Update the WordPress VR Calendar plugin to the latest available version at lea...

AM-HiLi <= 1.0 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

WordPress demon image annotation cross-site request forgery vulnerability

WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. Cross-site request forgery vulnerability exists in WordPress demon image annotation 4.7 and earlier versions, which stems from the lack of nonce...

CVE-2022-3097 LBStopAttack < 1.1.3 - Arbitrary Settings Update via CSRF

The Plugin LBstopattack WordPress plugin before 1.1.3 does not use nonces when saving its settings, making it possible for attackers to conduct CSRF attacks. This could allow attackers to disable the plugin's protections...