Lucene search
K
WpvulndbRecent

14603 matches found

WPVulnDB
WPVulnDB
added 2024/03/05 12:0 a.m.10 views

Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid < 1.3.9 - Authenticated(Contributor+) PHP Object Injection

Description The Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization via shortcode of untrusted input. This makes it possible for authenticated attackers, with...

7.5CVSS7AI score0.01021EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/05 12:0 a.m.12 views

Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget < 1.6.8 - Authenticated (Contributor+) PHP Object Injection in outpost_shortcode_metabox_markup

Description The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.7 via deserialization of untrusted input in the outpostshortcodemetaboxmarkup function...

8.8CVSS7AI score0.01211EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/05 12:0 a.m.24 views

Simple Membership < 4.4.3 - Unauthenticated Stored Self-Based Cross-Site Scripting

Description The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inje...

6.1CVSS6.1AI score0.00867EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/05 12:0 a.m.17 views

Testimonial Slider < 2.3.7 - Author+ Settings Update

Description The plugin does not properly ensure that a user has the necessary capabilities to edit certain sensitive plugin settings, making it possible for users with at least the Author role to edit them. PoC 1 Go to a page where one of the sliders is already in use and intercept the nonce tss ...

9.3AI score0.00381EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/05 12:0 a.m.26 views

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin < 1.6.6.24 - Cross-Site Request Forgery to Plugin Data Reset

Description The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.6.20. This is due to missing or incorrect nonce validation on the ssafactoryreset function. This...

4.7CVSS6.4AI score0.00268EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.17 views

Ebook Store < 5.8002 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.9CVSS5.4AI score0.00336EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.18 views

Image Optimizer, Resizer and CDN – Sirv < 7.2.1 - Authenticated (Subscriber+) Server-Side Request Forgery

Description The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary...

5.4CVSS6.5AI score0.00342EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.12 views

Easy!Appointments < 1.3.2 - Contributor+ Stored Cross-Site Scripting

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

6.4CVSS6.4AI score0.00408EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.15 views

Vimeography < 2.3.3 - Contributor+ PHP Object Injection

Description The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the vimeographyduplicategalleryserialized in the duplicategallery function. This makes it possible for authenticated attackers attackers, with contributor access or higher, to inject a PHP...

8.8CVSS9.2AI score0.00893EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.16 views

JM Twitter Cards < 14.1.0 - Password Protected Post Access

Description The plugin is vulnerable to Information Exposure via the meta description data, allowing unauthenticated attackers to view password protected post content when viewing the page source...

5.3CVSS7AI score0.00611EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.20 views

CM Download Manager < 2.9.0 - Download Deletion via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins delete downloads via a CSRF attack PoC Make an admin open the URL below https://example.com/cmdownload/del/id/...

6.4AI score0.00244EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.14 views

CM Download and File Manager < 2.9.0 - Download Unpublish via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins unpublish downloads via a CSRF attack PoC Make an admin open the URL below https://example.com/cmdownload/unpublish/id/...

6.4AI score0.00225EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.8 views

Page Builder Sandwich <= 5.1.0 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Post Editing

Description The Page Builder Sandwich – Front End WordPress Page Builder Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'gambitbuildersavecontent' function in all versions up to, and including, 5.1.0. This makes it possible...

6.5CVSS6.5AI score0.00431EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.11 views

Build & Control Block Patterns – Boost up Gutenberg Editor <= 1.3.5.4 - Missing Authorization

Description The Build & Control Block Patterns – Boost up Gutenberg Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the settingsexport function in all versions up to, and including, 1.3.5.4. This makes it possible for unauthenticated...

5.3CVSS6.7AI score0.00475EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.15 views

FeedWordPress < 2024.0428 - Unauthenticated Draft Access

Description The plugin is vulnerable to Insecure Direct Object Reference due to missing validation on the user controlled 'guid' key. This makes it possible for unauthenticated attackers to view draft posts that may contain sensitive information...

5.3CVSS5.6AI score0.00621EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.13 views

Password Protected Store for WooCommerce < 2.3 - Unauthenticated Arbitrary Post Tile & Content Access

Description The plugin is vulnerable to Sensitive Information Exposure via the REST API, allowing unauthenticated attackers to extract sensitive data including post titles and content...

5.3CVSS6.8AI score0.00577EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.13 views

SportsPress – Sports Club & League Manager < 2.7.18 - Missing Authorization to Unauthenticated Event Permalink Update

Description The SportsPress – Sports Club & League Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settingssave function in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to...

5.3CVSS7AI score0.00431EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.19 views

Blue Triad EZAnalytics <= 1.0 - Reflected Cross-Site Scripting via 'bt_webid'

Description The Blue Triad EZAnalytics plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'btwebid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

6.1CVSS6.3AI score0.00374EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.18 views

Auto Refresh Single Page <= 1.1 - Authenticated (Contributor+) PHP Object Injection

Description The Auto Refresh Single Page plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1 via deserialization of untrusted input from the arspoptions post meta option. This makes it possible for authenticated attackers, with contributor-level...

8.8CVSS7.4AI score0.00851EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.10 views

Maintenance Mode < 3.0.2 - Unauthenticated Post/Page Content Disclosure

Description The plugin is vulnerable to Sensitive Information Exposure via the REST API, allowing unauthenticated attackers to obtain post and page content via API thus bypassing the content protection provided by the plugin...

5.3CVSS6.3AI score0.00532EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.18 views

Image Optimizer, Resizer and CDN – Sirv < 7.2.1 - Missing Authorization

Description The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including 7.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above,...

5.4CVSS6.5AI score0.00372EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.15 views

CM Download and File Manager < 2.9.1 - Download Edit via CSRF

Description The plugin does not have CSRF checks in some places, which could allow attackers to make logged in admins edit downloads via a CSRF attack PoC Make an admin open an HTML file containing the following:...

6.3AI score0.0047EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.17 views

Page Builder Sandwich – Front End WordPress Page Builder Plugin <= 5.1.0 - Sensitive Information Exposure

Description The Page Builder Sandwich – Front End WordPress Page Builder Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.0. This makes it possible for authenticated attackers, with subscriber access and higher, to extract...

6.5CVSS6.4AI score0.00491EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.48 views

Elementor Pro < 3.19.3 - Authenticated (Contributor+) Information Exposure

Description The Elementor Website Builder Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.19.2 . This makes it possible for authenticated attackers, with contributor-level access and above, to extract arbitrary user meta values...

6.5CVSS6.9AI score0.00529EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.14 views

Change Memory Limit <= 1.0 - Missing Authorization via admin_logic()

Description The Change Memory Limit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the adminlogic function hooked via admininit in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update t...

5.3CVSS6.7AI score0.00427EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/04 12:0 a.m.11 views

Schema Pro < 2.7.16 - Contributor+ Custom Field Access

Description The plugin does not validate post access allowing a contributor user to access custom fields on any post regardless of post type or status via a shortcode PoC As a contributor, add/edit a post and embed aiosrsprocustomfield postid="ANYPOSTID" fieldkey="ANYMETAKEY" and specify/guess an...

9.3AI score0.00453EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/02 12:0 a.m.19 views

Ultimate Bootstrap Elements for Elementor < 1.3.7 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the ‘headingtitletag’ and ’headingsubtitletag’ parameters due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level and above permissions to inject...

6.4CVSS5.9AI score0.0051EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/02 12:0 a.m.18 views

Ultimate Bootstrap Elements for Elementor <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Widget

Description The Ultimate Bootstrap Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Widget in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...

5.5AI score0.0032EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/01 12:0 a.m.14 views

Gutenberg Blocks by Kadence Blocks < 3.2.24 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the htmlTag attribute due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user...

6.4CVSS6AI score0.00532EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/01 12:0 a.m.15 views

Master Slider <= 3.9.9 - Editor+ Stored XSS via slider callback

Description The plugin is vulnerable to Stored Cross-Site Scripting via the slides callback functionality. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only...

4.8CVSS4.7AI score0.00656EPSS
Exploits1References1
WPVulnDB
WPVulnDB
added 2024/03/01 12:0 a.m.18 views

Master Slider <= 3.9.10 - Sliders Deletion via CSRF

Description The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the 'processbulkaction' function. This makes it possible for unauthenticated attackers to duplicate or delete arbitrary sliders via a forged request granted they can trick a site...

5.4CVSS5.7AI score0.00257EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/03/01 12:0 a.m.20 views

AI Engine < 2.2.1 - Unauthenticated Stored Cross-Site Scripting

Description The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AI chat data when discussion tracking is enabled in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output...

6.5CVSS6.2AI score0.0061EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/01 12:0 a.m.22 views

GenerateBlocks < 1.8.3 - Contributor+ Arbitrary Draft/Private Post Access

Description The plugin is vulnerable to Sensitive Information Exposure via Query Loop, allowing authenticated attackers, with contributor access and above, to see contents of posts and pages in draft or private status as well as those with scheduled publication dates...

4.3CVSS6.3AI score0.00575EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/01 12:0 a.m.22 views

Avada < 7.11.6 - Authenticated(Contributor+) Sensitive Information Exposure via Form Entries

Description The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. This makes it possible for authenticated attackers, with contributor access and above, to view...

6.5CVSS6.2AI score0.00658EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/01 12:0 a.m.17 views

Calculated Fields Form Professional < 5.1.57 - Unauthenticated Stored Cross-Site Scripting

Description The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers t...

7.2CVSS5.8AI score0.00577EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/01 12:0 a.m.19 views

WP Show Posts < 1.1.5 - Information Exposure

Description The WP Show Posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the wpspdisplay function. This makes it possible for authenticated attackers with contributor access and above to view the contents of draft, trash,...

5.3CVSS6.1AI score0.00653EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/03/01 12:0 a.m.31 views

Master Slider <= 3.9.10 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the plugin's msslide shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject...

6.4CVSS5.9AI score0.00433EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.16 views

Giveaways and Contests by RafflePress < 1.12.7 - Unauthenticated Stored Cross-Site Scripting

Description The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘parenturl’ parameter in all versions up to, and including, 1.12.5 due to insufficient input...

7.2CVSS5.9AI score0.00685EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.16 views

AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth By AWeber < 7.3.15 - Authenticated (Admin+) SQL Injection

Description The AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth plugin for WordPress is vulnerable to SQL Injection via the 'postid' parameter in all versions up to, and including, 7.3.14 due to insufficient escaping on the user supplied...

7.2CVSS7.1AI score0.0089EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.44 views

LiteSpeed Cache < 5.7.0.1 - Unauthenticated Stored XSS

Description The plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nameservers' and 'msg' parameters due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user...

8.3CVSS8.2AI score0.54872EPSS
Exploits5References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.23 views

Slider Responsive Slideshow – Image slider, Gallery slideshow < 1.4.0 - Authenticated (Contributor+) PHP Object Injection

Description The Slider Responsive Slideshow – Image slider, Gallery slideshow plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization of untrusted input to the awlsliderresponsiveshortcode function. This makes it possible for...

8.8CVSS7.4AI score0.00823EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.22 views

Exclusive Addons for Elementor < 2.6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.7AI score0.01593EPSS
Exploits12References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.22 views

Beaver Builder – WordPress Page Builder < 2.7.4.3 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the audio widget 'linkurl' parameter due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute...

6.4CVSS5.8AI score0.00532EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.28 views

Visual Composer Premium < 45.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom fields in all versions up to, and including, 45.6.0 due to insufficient input...

6.4CVSS5.9AI score0.00416EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.19 views

NextMove Lite – Thank You Page for WooCommerce & Finale Lite – Sales Countdown Timer & Discount for WooCommerce <= 2.17.0 - Missing Authorization to Unauthenticated System Information Disclosure

Description The NextMove Lite – Thank You Page for WooCommerce and Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the downloadtoolssettings function in all versions up to, and...

5.3CVSS6.5AI score0.00537EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.9 views

Essential Blocks < 4.5.2 - Contributor+ Stored XSS

Description The plugin is vulnerable to Stored Cross-Site Scripting via the blockId parameter due to insufficient input sanitization and output escaping, allowing authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user...

6.4CVSS5.8AI score0.00427EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.27 views

LiteSpeed Cache < 5.7.0.1 - Unauthenticated CDN Status Update

Description The plugin is vulnerable to unauthorized modification of data due to a missing authorization check on the 'updatecdnstatus' function, allowing unauthenticated attackers to modify the plugin's CDN status...

8.2CVSS6.7AI score0.00413EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.76 views

Download Manager < 3.2.85 - Unauthenticated File Download

Description The plugin is vulnerable to unauthorized file download of files added via the plugin, allowing unauthenticated attackers to download files added with the plugin even when privately published...

5.3CVSS7.1AI score0.00546EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.19 views

Exclusive Addons for Elementor < 2.6.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget

Description The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...

6.4CVSS5.7AI score0.00423EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2024/02/29 12:0 a.m.23 views

Wp Social Login and Register Social Counter < 3.0.1 - Missing Authorization to Unauthenticated Social Login/Share Status Update

Description The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wpsocial/v1/ REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated...

6.5CVSS6.6AI score0.0044EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities14603