CVE-2022-2123

The CVE entry CVE-2022-2123 corresponds to the WP Opt-in WordPress plugin (versions

WordPress plugin Opt-in 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. version 1.4.1 of the WordPress Opt-in plugin is vulnerable to cross-site request forgery, which can b...

CVE-2022-1321

The miniOrange's Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example ...

Cross site request forgery (csrf)

The New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes for bypassing the provided restrictions and to change plugin settings by tricking admin users into visitin...

CVE-2021-36891

Cross-Site Request Forgery CSRF vulnerability in Photo Gallery by Supsystic plugin = 1.15.5 at WordPress allows changing the plugin settings...

CVE-2021-36891 WordPress Photo Gallery by Supsystic plugin <= 1.15.5 - Cross-Site Request Forgery (CSRF) leading to Plugin Settings Change

Cross-Site Request Forgery CSRF vulnerability in Photo Gallery by Supsystic plugin = 1.15.5 at WordPress allows changing the plugin settings...

XCloner < 4.3.6 - Plugin Settings Reset

The plugin does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key. v4.3.5 added capability check, but CSRF one still missing. v...

WordPress XCloner plugin < 4.3.5 - Unauthenticated Plugin Settings Reset vulnerability

Unauthenticated Plugin Settings Reset vulnerability discovered by Krzysztof Zając in WordPress XCloner plugin versions 4.3.5. Solution Update the WordPress XCloner Backup, Restore and Migrate plugin to the latest available version at least 4.3.6...

Social Share Buttons by Supsystic < 2.2.4 - Multiple CSRF

The plugin does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks. PoC...

Print, PDF, Email by PrintFriendly < 5.2.3 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape the Custom Button Text settings, which could allow high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed In the plugin's settings, tick 'Custom Button' and put the following payload ...

CardGate Payments plugin for WooCommerce does not validate request origin

An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings merchant ID, secret key, etc. and therefore bypass...

GHSA-5PQ5-9PHV-Q5J3 CardGate Payments plugin for WooCommerce does not validate request origin

An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings merchant ID, secret key, etc. and therefore bypass...

Genki Pre-Publish Reminder <= 1.4.1 - Stored XSS & RCE via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and lead to Stored XSS as well as RCE when custom code is added via the plugin settings. PoC...

No Future Posts <= 1.4 - Admin+ Stored Cross-Site Scripting

The plugin does not escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfilteredhtml is disallowed Put the following payload in any of the plugin's settings such as Exclude posts IDs and save: " autofocus onfocus=alert/XSS///...

WordPress Responsive Menu Plugin < 4.1.8 Information Disclosure Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:expresstech:responsivemenu"; ifdescription...

CVE-2022-29444

Plugin Settings Change leading to Cross-Site Scripting XSS vulnerability in Cloudways Breeze plugin = 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wpajax actions in the class BreezeConfiguration which includes the ability to change any of the plugin'...

Cross site scripting

Plugin Settings Change leading to Cross-Site Scripting XSS vulnerability in Cloudways Breeze plugin = 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wpajax actions in the class BreezeConfiguration which includes the ability to change any of the plugin'...

WordPress plugin Cloudways Breeze 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. WordPress Cloudways Breeze plugin 2.0.2 and earlier versions have a cross-site scripting vulnerabilit...

CVE-2022-29414

Multiple 13x Cross-Site Request Forgery CSRF vulnerabilities in WPKube's Subscribe To Comments Reloaded plugin mass update settings, manage subscriptions add a new subscription, update subscription, delete Subscription...

CVE-2022-29417

Plugin Settings Update vulnerability in ShortPixel's ShortPixel Adaptive Images plugin = 3.3.1 at WordPress allows an attacker with a low user role like a subscriber or higher to change the plugin settings...