CVE-2024-7574

The Christmasify! plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.5. This is due to missing nonce validation on the 'options' function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious...

CVE-2024-3636 Pinpoint Booking System < 2.9.9.4.8 - Admin+ Stored XSS

The Pinpoint Booking System WordPress plugin before 2.9.9.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-7031

The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'njtfssaveSettingRestrictions' function in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with a role tha...

CVE-2024-7031 File Manager Pro – Filester <= 1.8.2 - Authenticated Plugin Settings Update

The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'njtfssaveSettingRestrictions' function in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with a role tha...

CVE-2024-7031

The CVE-2024-7031 entry concerns the WordPress File Manager Pro – Filester plugin. A missing capability check in njt_fs_saveSettingRestrictions allows authenticated users, granted permissions by an Administrator, to modify plugin settings related to user role restrictions and uploads (e.g., enabl...

WordPress plugin Forminator 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

PT-2024-37895 · Funnelkit · The Funnel Builder For Wordpress

Name of the Vulnerable Software and Affected Versions: The Funnel Builder for WordPress by FunnelKit versions up to, and including, 3.4.6 Description: The issue allows authenticated attackers with Contributor-level access and above to update multiple settings due to a missing capability check on...

CVE-2024-5804

The Conditional Fields for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.13. This is due to missing or incorrect nonce validation on the wpcf7cfadmininit function. This makes it possible for unauthenticated attackers to reset...

CVE-2024-6579 Web and WooCommerce Addons for WPBakery Builder <= 1.4.5 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification

The Web and WooCommerce Addons for WPBakery Builder plugin for WordPress is vulnerable to unauthorized plugin settings modification due to a missing capability check on several plugin functions in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with...

CVE-2024-6579

CVE-2024-6579 affects the Web and WooCommerce Addons for WPBakery Builder plugin for WordPress. The vulnerability arises from a missing capability check in several plugin functions, allowing authenticated attackers with Subscriber-level access and above to modify plugin settings. Affected version...

WordPress plugin WP QuickLaTeX security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

WordPress Sirv plugin <= 7.2.7 - Authenticated (Subscriber+) Missing Authorization to Plugin Settings Update vulnerability

Authenticated Subscriber+ Missing Authorization to Plugin Settings Update vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Sirv versions = 7.2.7...

CVE-2024-5648

The LearnDash LMS – Reports plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions i.e. wrldsetconfiguration, wrldexcludesettingssave, applytimetrackingsettings, wpajaxwrldgutenbergblockvisit, etc.. in all versions up to, and...

CVE-2024-5648 LearnDash LMS - Reports Free <= 1.8.2 - Missing Authorization to Plugin Settings Update

The LearnDash LMS – Reports plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

WordPress EventON plugin <= 2.2.15 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates vulnerability

Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates vulnerability discovered by Lucio Sá in WordPress Plugin EventON versions = 2.2.15...

CVE-2024-6180 EventON <= 2.2.15 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates

The EventON plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eventonimportsettings' ajax action in all versions up to, and including, 2.2.15. This makes it possible for unauthenticated attackers to update plugin settings, including...

PT-2024-36419 · WordPress · Easy Pixels

Name of the Vulnerable Software and Affected Versions: Easy Pixels plugin for WordPress versions up to, and including, 2.13 Description: The issue is related to Stored Cross-Site Scripting via plugin settings due to insufficient input sanitization and output escaping. This allows unauthenticated...

CVE-2024-5641

The One Click Order Re-Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cedocorsavegeneralsetting' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2024-3593 UberMenu <= 3.8.3 - Cross-Site Request Forgery to Settings Reset

The UberMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the ubermenudeleteallitemsettings and ubermenuresetsettings functions. This makes it possible for unauthenticated...

CVE-2024-1955 Hide Dashboard Notifications <= 1.3 - Missing Authorization to Authenticated(Contributor+) Plugin Settings Modification

The Hide Dashboard Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'warningnoticessettings' function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with contributor acces...