3901 matches found
CVE-2022-41655
Auth. subscriber+ Sensitive Data Exposure vulnerability in Phone Orders for WooCommerce plugin = 3.7.1 on WordPress...
CVE-2022-40130
Auth. subscriber+ Race Condition vulnerability in WP-Polls plugin = 2.76.0 on WordPress...
CVE-2022-40216
Auth. subscriber+ Messaging Block Bypass vulnerability in Better Messages plugin = 1.9.10.69 on WordPress...
PT-2022-25983 · Unknown · Bp Better Messages
Name of the Vulnerable Software and Affected Versions: Better Messages plugin version 1.9.10.68 Description: The issue is related to an Authenticated Server-Side Request Forgery SSRF vulnerability. This means that an attacker could potentially forge requests to internal or external services, but...
PT-2022-26073 · WordPress · Soledad
Name of the Vulnerable Software and Affected Versions: Soledad premium theme version 8.2.5 and earlier Description: A Cross-Site Scripting XSS issue affects the Soledad premium theme on WordPress, specifically for users with subscriber or higher authentication. This issue allows for malicious...
CVE-2022-38461
Broken Access Control vulnerability in WPML Multilingual CMS premium plugin = 4.5.10 on WordPress allows users with a subscriber or higher user role to change plugin settings selected language for legacy widgets, the default behavior for media content...
PT-2022-24416 · WordPress · Wpml Multilingual Cms
Name of the Vulnerable Software and Affected Versions: WPML Multilingual CMS premium plugin versions = 4.5.10 Description: The issue allows users with a subscriber or higher user role to change plugin settings, including the selected language for legacy widgets and the default behavior for media...
CVE-2022-40206
Insecure direct object references IDOR vulnerability in the wpForo Forum plugin = 2.0.5 on WordPress allows attackers with subscriber or higher user roles to mark any forum post as private/public...
WordPress plugin wpForo Forum 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...
CVE-2022-3536 Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization
The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, an...
CVE-2022-3401
The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability CVE-2022-3400, makes it possible for authenticate...
CVE-2022-3401
The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability CVE-2022-3400, makes it possible for authenticate...
CVE-2022-38134
Authenticated subscriber+ Broken Access Control vulnerability in Customer Reviews for WooCommerce plugin = 5.3.5 at WordPress...
CVE-2022-38058
Authenticated subscriber+ Plugin Setting change vulnerability in WP Shamsi plugin = 4.1.1 at WordPress...
PT-2022-21707 · WordPress · Wordplus Better Messages
Name of the Vulnerable Software and Affected Versions: WordPlus WordPress Better Messages plugin versions = 1.9.10.57 Description: The issue is an authenticated Denial Of Service DoS vulnerability. This means that an attacker who has subscriber-level access or higher can exploit this issue to cau...
PT-2022-13797 · WordPress · Discy
Name of the Vulnerable Software and Affected Versions: Discy WordPress theme versions prior to 5.0 Description: The issue allows any logged-in users, with privileges as low as Subscriber, to change theme options by sending a crafted POST request to the "discy update options" action due to a lack ...
CVE-2022-2369
The YaySMTP WordPress plugin before 2.2.1 does not have capability check in an AJAX action, allowing any logged in users, such as subscriber to view the Logs of the plugin...
CVE-2022-29444
Plugin Settings Change leading to Cross-Site Scripting XSS vulnerability in Cloudways Breeze plugin = 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wpajax actions in the class BreezeConfiguration which includes the ability to change any of the plugin'...
VulnCheck KEV: CVE-2022-29444
Plugin Settings Change leading to Cross-Site Scripting XSS vulnerability in Cloudways Breeze plugin = 2.0.2 on WordPress allows users with a subscriber or higher user role to execute any of the wpajax actions in the class BreezeConfiguration which includes the ability to change any of...
CVE-2022-0403
The Library File Manager WordPress plugin before 5.2.3 is using an outdated version of the elFinder library, which is know to be affected by security issues CVE-2021-32682, and does not have any authorisation as well as CSRF checks in its connector AJAX action, allowing any authenticated users,...