WordPress HC Custom WP-Admin URL plugin <= 1.4 - Unauthenticated Secret URL Disclosure vulnerability

Unauthenticated Secret URL Disclosure vulnerability discovered by Daniel Ruf in WordPress HC Custom WP-Admin URL plugin versions = 1.4. Solution Deactivate and delete. This plugin has been closed as of May 5, 2022 and is not available for download. This closure is temporary, pending a full review...

HC Custom WP-Admin URL <= 1.4 - Arbitrary Settings Update via CSRF

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, allowing them to change the login URL document.getElementById"test".submit;...

WPGlobus plugin Stored XSS & CSRF security vulnerability

The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobusoptionenabledlanguagesen or wpglobusoptionenabledlanguagesfr or any other language parameter to wp-admin/options.php...

WPGlobus plugin Stored XSS & CSRF security vulnerability

The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobusoptionmorelanguages parameter to wp-admin/options.php...

GHSA-V9H6-53FX-GH4J WPGlobus plugin Stored XSS & CSRF security vulnerability

The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobusoptionbrowserredirectredirectbylanguage parameter to wp-admin/options.php...

GHSA-35MH-F6P8-PJ2C WPGlobus plugin Stored XSS & CSRF security vulnerability

The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobusoptionmorelanguages parameter to wp-admin/options.php...

GHSA-GPQ5-VQVX-CH9J WPGlobus plugin Stored XSS & CSRF security vulnerability

The WPGlobus plugin 1.9.6 for WordPress has XSS via the wpglobusoptionenabledlanguagesen or wpglobusoptionenabledlanguagesfr or any other language parameter to wp-admin/options.php...

WPGlobus plugin Stored XSS & CSRF security vulnerability

The WPGlobus plugin 1.9.6 for WordPress has CSRF via wp-admin/options.php...

WordPress Change wp-admin login plugin <= 1.0.9 - Unauthenticated Arbitrary Settings Update vulnerability

Unauthenticated Arbitrary Settings Update vulnerability discovered by Daniel Ruf in WordPress Change wp-admin login plugin versions = 1.0.9. Solution Update the WordPress Change wp-admin login plugin to the latest available version at least 1.1.0...

CVE-2011-1762

A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publishposts' permission...

Advanced Page Visit Counter < 6.1.6 - Subscriber+ Blind SQL injection

The plugin does not escape the artID parameter before using it in a SQL statement in the apvcresetcountart AJAX action, available to any authenticated user, leading to a SQL injection v = 5.0.8 - https://example.com/wp-admin/admin-ajax.php?action=apvcresetcountart&artID=sleep10 v 6.1.6 -...

WordPress SnazzyAdmin WP Admin Theme plugin <= 1.0.2 - Sensitive Information Disclosure vulnerability

Sensitive Information Disclosure vulnerability discovered in WordPress SnazzyAdmin WP Admin Theme plugin versions = 1.0.2. Solution No patched version available...

CVE-2021-24906

The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin and therefore the protection offered via a crafted request...

Cross site request forgery (csrf)

The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin and therefore the protection offered via a crafted request...

CVE-2021-24906

The CVE-2021-24906 entry concerns the WordPress Protect WP Admin plugin (pre-3.6.2). The vulnerability is an unauthenticated deactivation in lib/pwa-deactivate.php due to missing authorization checks, allowing an unauthenticated attacker to disable the plugin and its protection via a crafted requ...

CVE-2021-24906 Protect WP Admin < 3.6.2 - Unauthenticated Plugin Deactivation

The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin and therefore the protection offered via a crafted request...

WordPress plugin 访问控制错误漏洞

WordPress is the WordPress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blogging sites on servers with PHP and MySQL. An access control error vulnerability exists in versions of Wordpress Plugin Protect WP Admin prior to...

WordPress Protect WP Admin plugin <= 3.6 - Unauthenticated Plugin Deactivation vulnerability

Unauthenticated Plugin Deactivation vulnerability discovered by Krzysztof Zając in WordPress Protect WP Admin plugin versions = 3.6. Solution Update the WordPress Protect WP Admin plugin to the latest available version at least 3.6.2...

CVE-2021-24784

The WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack...

CVE-2021-24784 WP Admin Logo Changer <= 1.0 - Plugin's Settings Update via CSRF

The WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack...