WP Hotel Booking < 2.0.1 - Unauthenticated Arbitrary Settings Update

The plugin does not have authorisation and CSRF checks in place when updating its settings, which could allow unauthenticated attackers to change them. PoC All settings are affected, example, to change the Thousands Separator one, run the below command in the developer console of the web browser...

CVE-2022-29495

Cross-Site Request Forgery CSRF vulnerability in Sygnoos Popup Builder plugin = 4.1.11 at WordPress allows an attacker to update plugin settings...

CVE-2022-29495

Concisely: The WordPress plugin Sygnoos Popup Builder (WP Plugin: Popup Builder) is affected up to version 4.1.11 by a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to update plugin settings. The root cause is insufficient CSRF protection in settings update handling. Rep...

PT-2022-19658

Name of the Vulnerable Software and Affected Versions Sygnoos Popup Builder plugin versions = 4.1.11 Description A Cross-Site Request Forgery CSRF issue allows an attacker to update plugin settings. Recommendations For Sygnoos Popup Builder plugin versions = 4.1.11, update to a version higher tha...

Better Tag Cloud <= 0.99.5 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup PoC Put the following payload in any text field setting...

WordPress plugin Wbcom Designs – BuddyPress Group Review 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...

WordPress Opt-in plugin cross-site request forgery vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. version 1.4.1 of the WordPress Opt-in plugin is vulnerable to cross-site request forgery, which can b...

CVE-2022-2123

The WP Opt-in WordPress plugin through 1.4.1 is vulnerable to CSRF which allows changed plugin settings and can be used for sending spam emails...

CVE-2022-2123

The CVE entry CVE-2022-2123 corresponds to the WP Opt-in WordPress plugin (versions

WordPress plugin Opt-in 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. version 1.4.1 of the WordPress Opt-in plugin is vulnerable to cross-site request forgery, which can b...

CVE-2022-1321

The miniOrange's Google Authenticator WordPress plugin before 5.5.6 does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example ...

Cross site request forgery (csrf)

The New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes for bypassing the provided restrictions and to change plugin settings by tricking admin users into visitin...

CVE-2021-36891

Cross-Site Request Forgery CSRF vulnerability in Photo Gallery by Supsystic plugin = 1.15.5 at WordPress allows changing the plugin settings...

CVE-2021-36891 WordPress Photo Gallery by Supsystic plugin <= 1.15.5 - Cross-Site Request Forgery (CSRF) leading to Plugin Settings Change

Cross-Site Request Forgery CSRF vulnerability in Photo Gallery by Supsystic plugin = 1.15.5 at WordPress allows changing the plugin settings...

WordPress XCloner plugin < 4.3.5 - Unauthenticated Plugin Settings Reset vulnerability

Unauthenticated Plugin Settings Reset vulnerability discovered by Krzysztof Zając in WordPress XCloner plugin versions 4.3.5. Solution Update the WordPress XCloner Backup, Restore and Migrate plugin to the latest available version at least 4.3.6...

XCloner < 4.3.6 - Plugin Settings Reset

The plugin does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key. v4.3.5 added capability check, but CSRF one still missing. v...

Social Share Buttons by Supsystic < 2.2.4 - Multiple CSRF

The plugin does not perform CSRF checks in it's ajax endpoints and admin pages, allowing an attacker to trick any logged in user to manipulate or change the plugin settings, as well as create, delete and rename projects and networks. PoC...

Print, PDF, Email by PrintFriendly < 5.2.3 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape the Custom Button Text settings, which could allow high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed In the plugin's settings, tick 'Custom Button' and put the following payload ...

CardGate Payments plugin for WooCommerce does not validate request origin

An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings merchant ID, secret key, etc. and therefore bypass...

GHSA-5PQ5-9PHV-Q5J3 CardGate Payments plugin for WooCommerce does not validate request origin

An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings merchant ID, secret key, etc. and therefore bypass...