55 matches found
CVE-2024-6579
The Web and WooCommerce Addons for WPBakery Builder plugin for WordPress is vulnerable to unauthorized plugin settings modification due to a missing capability check on several plugin functions in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with...
CVE-2024-2797
The MailerLite – Signup forms official plugin for WordPress is vulnerable to unauthorized plugin setting changes due to a missing capability check on the toggleRolesAndPermissions and editAllowedRolesAndPermissions functions in all versions up to, and including, 1.7.6. This makes it possible for...
CVE-2024-1217 Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.3.41 - Missing Authorization to Arbitrary Plugin Deactivation
The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the awaitplugindeactivation function in all versions up to, and including, 2.3.41. This makes it possible for...
CVE-2023-6985
The 10Web AI Assistant – AI content writing assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the installplugin AJAX action in all versions up to, and including, 1.0.18. This makes it possible for authenticated attackers, with...
PT-2024-20457 · Lobe Chat · Lobe Chat
Name of the Vulnerable Software and Affected Versions: Lobe Chat versions prior to 0.122.4 Description: The issue allows access to plugins without proper authorization when the application is password-protected and deployed with the ACCESS CODE option. This means that even though the application...
PT-2024-15743 · WordPress · Colormag
Name of the Vulnerable Software and Affected Versions: ColorMag theme for WordPress versions up to, and including, 3.1.2 Description: The ColorMag theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the plugin action callback function. This makes it...
CVE-2023-6751 Hostinger <= 1.9.7 - Missing Authorization to Maintenance Mode Activation
The Hostinger plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the function publishwebsite in all versions up to, and including, 1.9.7. This makes it possible for unauthenticated attackers to enable and disable maintenance mode...
CVE-2023-0958
Several plugins for WordPress by Inisev are vulnerable to unauthorized installation of plugins due to a missing capability check on the handleinstallation function that is called via the inisevinstallation AJAX aciton in various versions. This makes it possible for authenticated attackers with...
CVE-2023-2869 WP-Members Membership <= 3.4.7.3 - Missing Authorization to Settings Update
The WP-Members Membership plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the dofieldreorder function in versions up to, and including, 3.4.7.3. This makes it possible for authenticated attackers with subscriber-level access to reorde...
CVE-2023-2869
CVE-2023-2869 concerns the WordPress WP-Members Membership plugin. The vulnerability arises from a missing capability check in the do_field_reorder function, allowing authenticated users with subscriber-level access to reorder form elements on login forms and thereby perform unauthorized updates ...
Formidable Forms < 6.3.1 - Subscriber+ Remote Code Execution
The plugin does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site,...
CVE-2023-1335
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the ucssconnect function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access t...
CVE-2023-1335 RapidLoad Power-Up for Autoptimize <= 1.7.1 - Missing Authorization in 'ucss_connect'
The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the ucssconnect function in versions up to, and including, 1.7.1. This makes it possible for authenticated attackers with subscriber-level access t...
WordPress Catch Gallery plugin <= 1.6.8 - Unauthorized Plugin Setting Change vulnerability
Unauthorized Plugin Setting Change vulnerability discovered by apple502j in WordPress Catch Gallery plugin versions = 1.6.8. Solution Update the WordPress Catch Gallery plugin to the latest available version at least 1.7...
WordPress Catch Infinite Scroll plugin <= 1.8.1 - Unauthorized Plugin Setting Change vulnerability
Unauthorized Plugin Setting Change vulnerability discovered by apple502j in WordPress Catch Infinite Scroll plugin versions = 1.8.1. Solution Update the WordPress Catch Infinite Scroll plugin to the latest available version at least 1.9...