Lucene search
+L

3899 matches found

OSV
OSV
added 2022/02/28 9:15 a.m.7 views

CVE-2021-24971

The WP Responsive Menu WordPress plugin before 3.1.7.1 does not have capability and CSRF checks in the wprliveupdate AJAX action, as well as do not sanitise and escape some of the data submitted. As a result, any authenticated, such as subscriber could update the plugin's settings and perform...

5.4CVSS6.1AI score0.00591EPSS
Exploits2References1
OSV
OSV
added 2022/02/14 12:15 p.m.6 views

CVE-2021-25014

The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ivesavegeneralsettings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue...

3.5CVSS5.8AI score0.0059EPSS
Exploits2References1
OSV
OSV
added 2022/02/01 1:15 p.m.3 views

CVE-2021-25097

The LabTools WordPress plugin through 1.0 does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication...

6.5CVSS6.7AI score0.00382EPSS
Exploits1References1
OSV
OSV
added 2022/01/24 8:15 a.m.4 views

CVE-2021-25013

The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubelydeletesavedblock AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts...

6.5CVSS6.7AI score0.00429EPSS
Exploits2References1
OSV
OSV
added 2022/01/24 8:15 a.m.5 views

CVE-2021-24968

The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewdufaqwelcomeaddfaq and ewdufaqwelcomeaddfaqpage AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions...

5.7CVSS6.2AI score0.00426EPSS
Exploits2References2
OSV
OSV
added 2021/12/21 9:15 a.m.10 views

CVE-2021-24750

The WP Visitor Statistics Real Time Traffic WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks...

8.8CVSS5.8AI score0.38298EPSS
Exploits5References3
OSV
OSV
added 2021/12/13 11:15 a.m.4 views

CVE-2021-24790

The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its deletecf7data and exportcf7data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The...

4.3CVSS5.9AI score0.0037EPSS
Exploits2References1
OSV
OSV
added 2021/12/13 11:15 a.m.3 views

CVE-2021-24780

The Single Post Exporter WordPress plugin through 1.1.1 does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and give access to the export feature to any role such as subscriber. Subscriber users would then be able...

4.3CVSS5.9AI score0.00435EPSS
Exploits2References1
Prion
Prion
added 2021/11/19 4:15 p.m.22 views

Sql injection

The "Duplicate Post" WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. SQL injection vulnerabilities occur when client supplied data is included within an SQL Query insecurely. SQL Injection can typically be exploited to read, modify and delete SQL table data. In...

9CVSS9.1AI score0.09509EPSS
Exploits3References2Affected Software1
CNNVD
CNNVD
added 2021/11/01 12:0 a.m.4 views

WordPress 安全漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports personal blog sites on servers with PHP and MySQL. A security vulnerability exists in WordPress Plugins, which stems from The AutomatorWP WordPress plugin does no...

8.8CVSS7.9AI score0.01294EPSS
Exploits2References1
OSV
OSV
added 2021/04/05 7:15 p.m.4 views

CVE-2021-24207

By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages...

4.3CVSS5.8AI score0.00689EPSS
Exploits2References2
OSV
OSV
added 2021/04/05 7:15 p.m.4 views

CVE-2021-24164

In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wpajaxnfoauth, and retrieve the connection url needed to establish a connection. They could also retrieve the clientid for an already established OAuth connecti...

4.3CVSS5.8AI score0.00889EPSS
Exploits2References2
CNNVD
CNNVD
added 2021/04/05 12:0 a.m.6 views

WordPress plugin WP Page Builder 访问控制错误漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an open source application plugin for WordPress. A security vulnerability exists in the WP Pag...

4.3CVSS5.1AI score0.00689EPSS
Exploits2References3
OSV
OSV
added 2020/05/17 1:15 a.m.4 views

CVE-2020-13126

An issue was discovered in the Elementor Pro plugin before 2.9.4 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13125. An attacker with the Subscriber role can upload arbitrary executable files to achieve remote code execution. NOTE: the free Elementor plugin is...

9.9CVSS7.1AI score0.08565EPSS
Exploits1References2
OSV
OSV
added 2019/09/13 1:15 p.m.5 views

CVE-2019-12517

An XSS issue was discovered in the slickquiz plugin through 1.3.7.1 for WordPress. The savequizscore functionality available via the /wp-admin/admin-ajax.php endpoint allows unauthenticated users to submit quiz solutions/answers, which are stored in the database and later shown in the WordPress...

6.1CVSS6.8AI score0.01248EPSS
Exploits4References2
OSV
OSV
added 2019/08/27 12:15 p.m.4 views

CVE-2019-15648

The insert-or-embed-articulate-content-into-wordpress plugin before 4.29991 for WordPress has insufficient restrictions on deleting or renaming by a Subscriber...

6.5CVSS5.8AI score0.00625EPSS
Exploits2References2
OSV
OSV
added 2018/02/08 7:29 a.m.3 views

CVE-2018-0116

A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to be authorized as a subscriber without providing a valid password; however, the attacker must provide a valid username. The vulnerability is due to incorrect RADIUS user...

7.2CVSS5.8AI score0.0108EPSS
Exploits0References2
CNVD
CNVD
added 2018/02/08 12:0 a.m.7 views

Cisco Policy Suite Authentication Bypass Vulnerability

Cisco Policy Suite CPS is a next-generation policy management solution from Cisco. The program provides user-based business rules, applications and real-time management of network resources and other functions. RADIUS authentication module is one of the RADIUS protocol authentication module. An...

7.2CVSS7.1AI score0.0108EPSS
Exploits0References1
CNVD
CNVD
added 2015/07/31 12:0 a.m.17 views

WordPress Draft Creation Vulnerability

WordPress is a use of PHP language development blog platform, users can support PHP and MySQL database server set up their own weblog. WordPress has a security vulnerability, users with Subscriber rights can create drafts through the Quick Draft feature...

4CVSS6.7AI score0.08814EPSS
Exploits1References1
Rows per page
Query Builder