8 matches found
CVE-2025-11372
CVE-2025-11372 affects the LearnPress – WordPress LMS Plugin (WordPress) up to and including version 4.2.9.3. The root cause is missing capability checks on Admin Tools REST endpoints, with permission_callback set to __return_true, enabling unauthenticated attackers to perform destructive databas...
EUVD-2024-50564
Malicious code in bioql PyPI...
CVE-2024-12059
The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.1 via the elioptionvalue shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract...
acf-to-rest-api plugin insecure direct object reference (IDOR) via permalink manipulation
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...
GHSA-R345-X8HR-2R9P acf-to-rest-api plugin insecure direct object reference (IDOR) via permalink manipulation
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...
Design/Logic Flaw
The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin...
CVE-2020-13700
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...
Cross site request forgery (csrf)
An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wpoptions table, such as the login and pass...