PT-2023-16904 · WordPress · Rapidload Power-Up For Autoptimize

Name of the Vulnerable Software and Affected Versions: RapidLoad Power-Up for Autoptimize plugin for WordPress versions up to, and including, 1.7.1 Description: The issue is related to a missing capability check on the ucss connect function, allowing authenticated attackers with subscriber-level...

Design/Logic Flaw

The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to...

About Me 3000 widget <= 2.2.6 - CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

WP Image Carousel <= 1.0.2 - Contributor+ Stored XSS

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks. 1. Go to the plugin settings and insert all the settings, then save. 2. Insert the following shortcode in a post/page: wpic speed='""; alert1...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in HasThemes ShopLentor plugin = 2.5.1 leading to plugin settings change...

CVE-2022-40198

Cross-Site Request Forgery CSRF vulnerability in StandaloneTech TeraWallet – For WooCommerce plugin = 1.3.24 leading to plugin settings change...

CVE-2022-46797

Cross-Site Request Forgery CSRF vulnerability in Conversios All-in-one Google Analytics, Pixels and Product Feed Manager for WooCommerce plugin = 5.2.3 leads to plugin settings change...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability in Conversios All-in-one Google Analytics, Pixels and Product Feed Manager for WooCommerce plugin = 5.2.3 leads to plugin settings change...

CVE-2022-46798 WordPress WooLentor Plugin <= 2.5.1 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery CSRF vulnerability in HasThemes ShopLentor plugin = 2.5.1 leading to plugin settings change...

CVE-2022-40198 WordPress TeraWallet – For WooCommerce Plugin <= 1.3.24 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery CSRF vulnerability in StandaloneTech TeraWallet – For WooCommerce plugin = 1.3.24 leading to plugin settings change...

CVE-2022-40198 WordPress TeraWallet – For WooCommerce Plugin <= 1.3.24 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery CSRF vulnerability in StandaloneTech TeraWallet – For WooCommerce plugin = 1.3.24 leading to plugin settings change...

Wholesale Suite < 2.1.5.1 - Subscriber+ Missing Authorization for Plugin Settings Change

The plugin does not adequately authorize settings changes, allowing users with a role as low as Subscriber to update plugin settings...

Tapfiliate < 3.0.13 - Admin+ Stored XSS

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2023-14057 · WordPress · Link Library

Name of the Vulnerable Software and Affected Versions: Link Library WordPress plugin versions prior to 7.4.1 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example in...

CVE-2023-0086

The JetWidgets for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.12. This is due to missing nonce validation on the save function. This makes it possible for unauthenticated attackers to to modify the plugin's settings via a forge...

CVE-2023-0086

The JetWidgets for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.12. This is due to missing nonce validation on the save function. This makes it possible for unauthenticated attackers to to modify the plugin's settings via a forge...

VulnCheck KEV: CVE-2022-3805

The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the...

PT-2022-24381 · WordPress · Kwayy Html Sitemap

Name of the Vulnerable Software and Affected Versions: Kwayy HTML Sitemap WordPress plugin versions prior to 4.0 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks, even when the unfiltered html capability is disallowed, for example,...

PT-2022-25372 · WordPress · The Paytium: Mollie Payment Forms & Donations

Name of the Vulnerable Software and Affected Versions: The Paytium: Mollie payment forms & donations WordPress plugin versions prior to 4.3.7 Description: The issue concerns the lack of sanitization and escaping of some settings in the plugin, which could allow high-privilege users, such as admin...

CVE-2022-3805

The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the...