CVE-2019-25142

The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 Mesmerize and 1.0.172 Materialis. This is due to 'companiondisablepopup' function only checking the nonce while sending user input to the 'updateoption' function...

CVE-2020-36720 Kali Forms <= 2.1.1 - Missing Authorization to Settings Update

The Kali Forms plugin for WordPress is vulnerable to Authenticated Options Change in versions up to, and including, 2.1.1. This is due to the updateoption lacking proper authentication checks. This makes it possible for any authenticated attacker to change or delete the plugin's settings...

CVE-2019-15769

The handl-utm-grabber plugin before 2.6.5 for WordPress has CSRF via addoption and updateoption...

CVE-2019-15769

The CVE-2019-15769 entry concerns the WordPress plugin HandL UTM Grabber, affected prior to version 2.6.5. The vulnerability is described as a cross-site request forgery (CSRF) via add_option and update_option, effectively an authenticated option change vulnerability. Root cause details across so...

CVE-2019-15769

The handl-utm-grabber plugin before 2.6.5 for WordPress has CSRF via addoption and updateoption...

One Click SSL <= 1.4.6 - Multiple Issues

Lack of CSRF and authorisation checks in the settings page, as well as AJAX methods such as ajaxenablessl, ajaxscan and so on could allow unauthorised settings change as well as call of the AJAX methods by a low privileged user. Additionally, it could also allow arbitrary site options update due ...

Erident Custom Login & Dashboard 3.4-3.4.1 - Stored Cross-Site Scripting (XSS)

The Erident Custom Login and Dashboard plugin exposes a call to the updateoption method, when a specific POST field is posted to the plugins setting screen. No CSRF token is used, and as such if an Administrative user can be tricked into visiting a site with a malicious form, it is possible to...