Sassy social share < 3.3.63 Admin+ Stored Cross-Site scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Go to the plugin's settings. 2...

WordPress Survey Maker plugin < 4.2.9 - Admin+ Stored XSS via Plugin Settings vulnerability

Admin+ Stored XSS via Plugin Settings vulnerability discovered by Krugov Artyom in WordPress Plugin Survey Maker versions 4.2.9...

CVE-2024-4061 Survey Maker < 4.2.9 - Admin+ Stored XSS via Plugin Settings

The Survey Maker WordPress plugin before 4.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2024-21920 · WordPress · Vikbooking Hotel Booking Engine & Pms

Name of the Vulnerable Software and Affected Versions: VikBooking Hotel Booking Engine & PMS WordPress plugin versions prior to 1.6.8 Description: The access control mechanism in the VikBooking Hotel Booking Engine & PMS WordPress plugin fails to properly restrict access to its settings. This...

CVE-2024-4463 Squelch Tabs and Accordions Shortcodes <= 0.4.7 - Cross-Site Request Forgery

The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4.7. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to modify...

CVE-2024-4082

CVE-2024-4082 : The Joli FAQ SEO – WordPress FAQ Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 1.3.2 due to missing nonce validation when saving settings. This enables unauthenticated attackers to change plugin settings by inducing an administrator action....

CVE-2024-4103 ADFO – Custom data in admin dashboard <= 1.9.0 - Cross-Site Request Forgery

The ADFO – Custom data in admin dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.0. This is due to missing or incorrect nonce validation on several functions hooked via the controller function. This makes it possible for...

White Label CMS < 2.7.4 - Missing Authorization to Plugin Settings Reset

Description The White Label CMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the resetplugin function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to reset plugin settings...

CVE-2022-40218 WordPress TH Advance Product Search plugin <= 1.1.4 - Unauthenticated Plugin Settings Change vulnerability

Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.1.4...

CVE-2022-40218 WordPress TH Advance Product Search plugin <= 1.1.4 - Unauthenticated Plugin Settings Change vulnerability

Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.1.4...

ADFO – Custom data in admin dashboard < 1.9.1 - Cross-Site Request Forgery

Description The ADFO – Custom data in admin dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.0. This is due to missing or incorrect nonce validation on several functions hooked via the controller function. This makes it possible...

CVE-2024-1809

The Analytify – Google Analytics Dashboard For WordPress GA4 analytics made easy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on AJAX functions in combination with nonce leakage in all versions up to, and including, 5.2.3. This makes it...

CVE-2024-1677 Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce <= 3.4.6 - Improper Authorization

The Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to an improper capability check on 42 separate AJAX functions in all versions up to, and...

IDonate <= 1.9.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Navigate to...

Survey Maker < 4.2.9 - Admin+ Stored XSS via Plugin Settings

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup PoC 1. Add New Survey 2. Choose any...

Survey Maker < 4.2.9 - Admin+ Stored XSS via Plugin Settings

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup 1. Add New Survey 2. Choose any...

PT-2024-20719 · WordPress · Gamipress

Name of the Vulnerable Software and Affected Versions: GamiPress WordPress plugin versions prior to 6.8.9 Description: The access control mechanism in the GamiPress WordPress plugin fails to properly restrict access to its settings. This allows Authors to manipulate requests and extend access to...

CVE-2024-32951 WordPress Max Addons Pro for Bricks plugin <= 1.6.1 - Unauthenticated Plugin Settings Reset vulnerability

Missing Authorization vulnerability in BloomPixel Max Addons Pro for Bricks.This issue affects Max Addons Pro for Bricks: from n/a through 1.6.1...

Benchmark Email Lite < 4.2 - Cross-Site Request Forgery via page_settings()

Description The Benchmark Email Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.1. This is due to missing or incorrect nonce validation on the pagesettings function. This makes it possible for unauthenticated attackers to update the plugin...

WordPress Hosting Benchmark tool < 1.3.7 - Cross-Site Request Forgery via execute_plugin()

Description The WordPress Hosting Benchmark tool plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.6. This is due to missing or incorrect nonce validation on the executeplugin function. This makes it possible for unauthenticated attackers to...