CVE-2023-6223

The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.5.7 via the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for authenticated attackers,...

CVE-2023-6223

The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.5.7 via the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for authenticated attackers,...

CVE-2023-6223 LearnPress <= 4.2.5.7 - Insecure Direct Object Reference to Information Disclosure

The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.5.7 via the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for authenticated attackers,...

CVE-2023-6223

CVE-2023-6223 affects the LearnPress – WordPress LMS Plugin. The issue is an insecure direct object reference (IDOR) in all versions up to and including 4.2.5.7, exposed via the /wp-json/lp/v1/profile/course-tab REST API. Missing validation on the userID parameter lets authenticated users with su...

WordPress WP Google Maps Plugin < 9.0.28 XSS Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:codecabin:wpgomaps"; if description...

WordPress Download Monitor Plugin < 4.7.70 Information Disclosure Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:wpchill:downloadmonitor"; if description...

CVE-2023-6627

The WP Go Maps formerly WP Google Maps WordPress plugin before 9.0.28 does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site...

Design/Logic Flaw

The WP Go Maps formerly WP Google Maps WordPress plugin before 9.0.28 does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site...

CVE-2023-6627 WP Go Maps < 9.0.28 - Unauthenticated Stored XSS

The WP Go Maps formerly WP Google Maps WordPress plugin before 9.0.28 does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site...

CVE-2023-6627 WP Go Maps < 9.0.28 - Unauthenticated Stored XSS

The WP Go Maps formerly WP Google Maps WordPress plugin before 9.0.28 does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site...

CVE-2023-6627

The CVE-2023-6627 entry concerns the WP Go Maps (formerly WP Google Maps) WordPress plugin and a vulnerability in versions prior to 9.0.28. The issue is that most REST API routes are not properly protected, allowing unauthenticated attackers to store malicious HTML/JavaScript on a site via the af...

PT-2024-15030 · WordPress · Wp Go Maps

Name of the Vulnerable Software and Affected Versions: WP Go Maps versions prior to 9.0.28 Description: The issue concerns the WP Go Maps WordPress plugin, where most of its REST API routes are not properly protected. This allows attackers to store malicious HTML/Javascript on the site...

VulnCheck KEV: CVE-2022-29081

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize via the ../RestAPI...

LA-Studio Element Kit for Elementor < 1.1.6 - Missing Authorization

Description The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a REST-API endpoint in versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to update the plugin's...

LearnPress < 4.2.5.8 - Subscriber+ Arbitrary Course Progress Disclosure

Description The plugin is vulnerable to Insecure Direct Object Reference in the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve the...

Code injection

The WP Mail Log WordPress plugin before 1.1.3 does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users...

CVE-2023-5644 WP Mail Log < 1.1.3 – Incorrect Authorization in REST API Endpoints

The WP Mail Log WordPress plugin before 1.1.3 does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users...

CVE-2023-5644

The WP Mail Log WordPress plugin (versions before 1.1.3) has an insecure REST API authorization flaw. The vulnerability allows users with the Contributor role to access and delete data that should be Admin-only, due to improper endpoint authorization in the wml/v1 REST API. The impact is exposure...

CVE-2023-5644 WP Mail Log < 1.1.3 – Incorrect Authorization in REST API Endpoints

The WP Mail Log WordPress plugin before 1.1.3 does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users...

WordPress plugin WP Mail Log security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in the...