CVE-2024-12253

The Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'savesettings', 'exportcsv', and 'simpleecommcart-action' actions in all versions up to, and including, 3.1.2. This makes it...

CVE-2024-12253

CVE-2024-12253 concerns the WordPress plugin “Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal” (versions up to 3.1.2). The issue is a missing capability check on actions including ‘save_settings’, ‘export_csv’, and ‘simpleecommcart-action’, which allows an attacker with subscr...

WordPress ARForms plugin <= 6.4.1 - Subscriber+ Plugin Settings Change vulnerability

Subscriber+ Plugin Settings Change vulnerability discovered by Dave Jong Patchstack in WordPress Plugin ARForms versions = 6.4.1...

CVE-2024-11118 404 Error Monitor <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update via updatePluginSettings Function

The 404 Error Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the updatePluginSettings function. This makes it possible for unauthenticated attackers to make changes to plug...

WordPress 404 Error Monitor plugin <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by Francesco Carlucci in WordPress Plugin 404 Error Monitor versions = 1.1...

CVE-2024-10311

The External Database Based Actions plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.1. This is due to a missing capability check in the 'edbaadminhandle' function. This makes it possible for authenticated attackers, with subscriber-level permissions...

404 Error Monitor <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update via updatePluginSettings Function

Description The 404 Error Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the updatePluginSettings function. This makes it possible for unauthenticated attackers to make...

PT-2024-16771 · WordPress · 404 Error Monitor

Name of the Vulnerable Software and Affected Versions: 404 Error Monitor plugin for WordPress versions up to, and including, 1.1 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the updatePluginSettings function. This allows...

CVE-2024-10854

CVE-2024-10854 concerns the WordPress plugin Buy one click WooCommerce (&lt;= 2.2.9). The root cause is a missing capability check on the AJAX action buy_one_click_import_options , allowing authenticated users with Subscriber-level access and above to modify/import plugin settings. The vulnerabil...

CVE-2024-10854 Buy one click WooCommerce <= 2.2.9 - Missing Authorization to Authenticated (Subscriber+) Settings Import

The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buyoneclickimportoptions AJAX action in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Subscriber-leve...

CVE-2024-10294

CVE-2024-10294 affects the WordPress CE21 Suite plugin. The root cause is a missing capability check in ce21_single_sign_on_save_api_settings, allowing unauthenticated attackers to modify plugin settings in versions up to 2.2.0. The impact is unauthorized modification of data/settings. Wordfence ...

WordPress CE21 Suite plugin <= 2.2.0 - Missing Authorization to Unauthenticated Plugin Settings Change vulnerability

Missing Authorization to Unauthenticated Plugin Settings Change vulnerability discovered by István Márton in WordPress Plugin CE21 Suite versions = 2.2.0...

CVE-2024-37106 WordPress WishList Member X plugin < 3.26.7 - Unautenticated Plugin Settings Change Leading to Stored XSS vulnerability

Missing Authorization vulnerability in WishList Products WishList Member X allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WishList Member X: from n/a through 3.26.6...

CVE-2024-37106 WordPress WishList Member X plugin < 3.26.7 - Unautenticated Plugin Settings Change Leading to Stored XSS vulnerability

Missing Authorization vulnerability in WishList Products WishList Member X allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WishList Member X: from n/a through 3.26.6...

CVE-2024-9434

The WPGlobus Translate Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the ontranslateoptionspage function. This makes it possible for unauthenticated attackers to inject...

CVE-2024-9434 WPGlobus Translate Options <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The WPGlobus Translate Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the ontranslateoptionspage function. This makes it possible for unauthenticated attackers to inject...

CVE-2024-9434 WPGlobus Translate Options <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The WPGlobus Translate Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the ontranslateoptionspage function. This makes it possible for unauthenticated attackers to inject...

CVE-2024-10040 Infinite-Scroll <= 2.6.2 - Cross-Site Request Forgery to Plugin Settings Update

The Infinite-Scroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.2. This is due to missing or incorrect nonce validation on the processajaxedit and processajaxdelete function. This makes it possible for unauthenticated attackers to mak...

CVE-2023-7288

The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the updateprofilepreference function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with...

CVE-2023-7288

The Paytium: Mollie payment forms & donations WordPress plugin is affected up to version 4.3.7 due to a missing capability check in update_profile_preference. This allows authenticated users with subscriber-level access to modify plugin settings, potentially impacting data integrity. Remediation:...