Lucene search
K
WpvulndbRecent

14602 matches found

WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.11 views

Seers <= 8.0.6 - Missing Authorization via multiple AJAX actions

Description The Seers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax functions in versions up to, and including, 8.0.6. This makes it possible for unauthenticated attackers to modify the cookie policy and change the conse...

8.6AI score0.00346EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.11 views

Animator < 3.0.11 - Missing Authorization to Plugin Settings Update

Description The Animator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the staupdateoptions function in versions up to, and including, 3.0.10. This makes it possible for subscribers to modify the plugin's settings. Version 3.0.9 used ...

6.9AI score0.00391EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.21 views

10Web Map Builder for Google Maps < 1.0.74 - Missing Authorization to Notice Dismissal

Description The 10Web Map Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gmwdbpinstallnoticestatus function in versions up to, and including, 1.0.73. This makes it possible for authenticated attackers, with subscriber-level...

6.7AI score0.0029EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.17 views

Leadster < 1.1.3 - Cross-Site Request Forgery via leadster_script_code_action

Description The Leadster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the leadsterscriptcodeaction function. This makes it possible for unauthenticated attackers to modify the...

8.8CVSS6.8AI score0.00261EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.21 views

DoLogin Security <= 3.7.1 - Missing Authorization via REST Endpoints

Description The DoLogin Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple REST functions in versions up to, and including, 3.7.1. This makes it possible for unauthenticated attackers to send test SMS messages to arbitrar...

9.5AI score0.00378EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.43 views

Charitable < 1.7.0.14 - Authenticated(Contributor+) Stored Cross-Site Scripting

Description The Charitable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 1.7.0.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.5CVSS5.9AI score0.00441EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.13 views

WP Word Count <= 3.2.4 - Missing Authorization via calculate_statistics

Description The WP Word Count plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the calculatestatistics function in versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with subscriber-level access and...

6.1AI score0.00272EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.11 views

Layer Slider <= 1.1.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Layer Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.8CVSS5.9AI score0.00394EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.27 views

AI ChatBot < 4.9.1 and 4.9.2 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file

Description The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 as well as 4.9.2 via the qcldopenaiuploadpagetrainingfile function. This allows subscriber-level attackers to append "...

9.6CVSS7AI score0.02066EPSS
Exploits2References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.21 views

Neon text < 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontextbox shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes color. This makes it possible for...

6.4CVSS5.9AI score0.00524EPSS
Exploits4References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.25 views

Multi-column Tag Map < 17.0.27 - Cross-Site Request Forgery

Description The Multi-column Tag Map plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the scmcTagMappluginoptions function in versions up to, and including, 17.0.26. This makes it possible for unauthenticated attackers to update the plugin's setting...

6.8AI score0.00412EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.43 views

Vertical scroll recent post <= 14.0 - Cross-Site Request Forgery via vsrp_admin_options

Description The Vertical scroll recent post plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 14.0. This is due to missing or incorrect nonce validation on the 'vsrpadminoptions' function. This makes it possible for unauthenticated attackers to...

8.8CVSS6.6AI score0.0028EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.24 views

Pricing Deals for WooCommerce <= 2.0.3.2 - Missing Authorization via vtprd_ajax_clone_rule

Description The Pricing Deals for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data| due to a missing capability check on the 'vtprdajaxclonerule' function in versions up to, and including, 2.0.3.2. This makes it possible for unauthenticated attackers to clone...

6.9AI score0.00295EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.13 views

Accordion < 2.7 - Authenticated (Editor+) Stored Cross-Site Scripting via accordion settings

Description The Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and...

5.9CVSS5.9AI score0.00412EPSS
Exploits1References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.15 views

Korea SNS <= 1.6.4 - Settings Update via CSRF

Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

8.8CVSS8.5AI score0.00294EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.18 views

Giveaways and Contests by RafflePress < 1.12.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Giveaways and Contests by RafflePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rafflepress' and 'rafflepressgutenberg' shortcode in versions up to, and including, 1.12.0 due to insufficient input sanitization and output escaping on 'giframe' user...

6.4CVSS5.9AI score0.00482EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.10 views

Preloader Matrix <= 2.0.1 - Cross-Site Request Forgery

Description The Preloader Matrix plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the handleEndPoint function. This makes it possible for unauthenticated attackers to modify the plugin...

8.8CVSS8.5AI score0.00286EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.38 views

Flatsome < 3.17.6 - Unauthenticated PHP Object Injection

Description The Flatsome theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.17.5 via deserialization of untrusted input. This allows unauthenticated attackers to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed o...

9.8CVSS7.8AI score0.0049EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.13 views

Modal Window < 5.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Modal Window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

6.4CVSS5.9AI score0.00568EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.20 views

affiliate-toolkit – WordPress Affiliate Plugin < 3.4.0 - Open Redirect via atkpout.php

Description The affiliate-toolkit – WordPress Affiliate Plugin is vulnerable to Open Redirect in versions up to, and including, 3.3.9. This is due to insufficient validation on the redirect url supplied via the 'url' parameter in atkpout.php. This makes it possible for unauthenticated attackers t...

6.1CVSS6.9AI score0.00414EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.18 views

WP Links Page < 4.9.5 - Cross-Site Request Forgery via wplf_ajax_update_screenshots

Description The WP Links Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.9.4. This is due to missing or incorrect nonce validation on the 'wplfajaxupdatescreenshots' function. This makes it possible for unauthenticated attackers to update...

8.8CVSS6.4AI score0.00288EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.19 views

Delete Duplicate Posts < 4.9 - Missing Authorization via AJAX Actions

Description The Delete Duplicate Posts plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on some of its AJAX actions in all versions up to 4.9 exclusive. This makes it possible for authenticated attackers, with subscriber access or higher, to...

9.8CVSS6.8AI score0.00509EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.17 views

WDContactFormBuilder <= 1.0.72 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The WDContactFormBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ContactFormBuilder' shortcode in versions up to, and including, 1.0.72 due to insufficient input sanitization and output escaping on 'id' user supplied attribute. This makes it possible...

6.4CVSS5.9AI score0.00407EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.12 views

Dropshipping & Affiliation with Amazon <= 2.1.2 - Authenticated (Subscriber+) Arbitrary File Upload

Description The Dropshipping & Affiliation with Amazon plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on files imported from a URL via the wpasimportproductfromamazon function called via an AJAX action in versions up to, and including, 2.1.2. This...

9.9CVSS7.9AI score0.00644EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.13 views

Donations Made Easy – Smart Donations <= 4.0.12 - Cross-Site Request Forgery

Description The Donations Made Easy – Smart Donations plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.12. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to...

8.8CVSS6.6AI score0.00286EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.15 views

Download CloudNet360 <= 3.2.0 - Reflected Cross-Site Scripting

Description The CloudNet360 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

6.1CVSS6.5AI score0.00412EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.15 views

Funnelforms Free < 3.4.2 - Missing Authorization to Arbitrary Post Duplication

Description The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsfcopyposts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and...

4.3CVSS6.8AI score0.00395EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.21 views

FV Flowplayer Video Player < 7.5.39.7212 - Insufficient Input Validation to Unauthenticated Stored Cross-Site Scripting and Arbitrary Usermeta Update

Description The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fvplayeruservideo’ parameter saved via the 'save' function hooked via init, and the plugin is also vulnerable to Arbitrary Usermeta Update via the 'save' function in versions up t...

6.1CVSS6.2AI score0.00471EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.11 views

WooCommerce < 7.9.0 - Sensitive Information Exposure

Description The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to...

6.8AI score
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.11 views

WP Post Columns <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The WP Post Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'column' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5.7AI score0.0043EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.16 views

Taggbox <= 3.1 - Cross-Site Request Forgery

Description The Taggbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this function via a forged...

8.8CVSS6.7AI score0.00254EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.17 views

Funnelforms Free < 3.4.2 - Missing Authorization to Enable/Disable Dark Mode

Description The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsfaf2triggerdarkmode function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level...

4.3CVSS6.7AI score0.00403EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.20 views

DrawIt (draw.io) <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The DrawIt draw.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inje...

6.5CVSS5.9AI score0.00378EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.12 views

Post Meta Data Manager < 1.2.2 - Cross-Site Request Forgery to Post, Term, and User Meta Deletion

Description The Post Meta Data Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the pmdmwpajaxdeletemeta, pmdmwpdeleteusermeta, and pmdmwpdeleteusermeta functions. This makes it possibl...

8.8CVSS6.8AI score0.00292EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.26 views

Login and Logout Redirect <= 2.0.2 - Open Redirect

Description The Login and Logout Redirect plugin for WordPress is vulnerable to Open Redirect in versions up to, and including, 2.0.2. This is due to insufficient validation on the redirect url supplied via the 'redirectto' parameter. This makes it possible for unauthenticated attackers to redire...

6.1CVSS7AI score0.00414EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.28 views

SmartCrawl WordPress SEO checker < 3.8.3 - Unauthenticated Password Protected Post Disclosure

Description The plugin does not prevent unauthorised users from accessing password-protected posts' content. PoC As unauthenticated, view the source via the web browser of any password protected post and find The content of the post will be disclosed in the meta and script tags after this, exampl...

7.5CVSS6.7AI score0.00756EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.10 views

Plainview Protect Passwords <= 1.4 - Cross-Site Request Forgery

Description The Plainview Protect Passwords plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the adminmenusettings function. This makes it possible for unauthenticated attackers to modif...

8.8CVSS6.6AI score0.00372EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.20 views

Remote Content Shortcode <= 1.5 - Authenticated(Contributor+) Local File Inclusion via shortcode

Description The Remote Content Shortcode plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.5 via the plugin's shortcode. This allows authenticated attackers with contributor-level privileges and above to include and execute arbitrary files on the serve...

8.1AI score0.00588EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.17 views

Youtube SpeedLoad <= 0.6.3 - Cross-Site Request Forgery

Description The Youtube SpeedLoad plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.3. This is due to missing or incorrect nonce validation on the ytslsettingspage function. This makes it possible for unauthenticated attackers to modify the...

8.8CVSS8.5AI score0.00277EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.16 views

Interactive World Map <= 3.2.0 - Reflected Cross-Site Scripting

Description The Interactive World Map plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...

7.1CVSS6.5AI score0.00412EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.22 views

Themify Ultra < 7.3.6 - Missing Authorization

Description The themify-ultra theme for WordPress is vulnerable to unauthorized access, modification or loss of data due to a missing capability check on an unknown function in all versions up to, and including, 7.3.3. This makes it possible for authenticated attackers with subscriber access or...

6.1AI score0.00444EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.10 views

WooCommerce Product Carousel Slider <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Description The WooCommerce Product Carousel Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.3.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.5CVSS5.9AI score0.0039EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.26 views

Category SEO Meta Tags <= 2.5 - Cross-Site Request Forgery via csmt_admin_options

Description The Category SEO Meta Tags plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5. This is due to missing or incorrect nonce validation on the 'csmtadminoptions' function. This makes it possible for unauthenticated attackers to change th...

8.8CVSS6.6AI score0.00261EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.21 views

WooCommerce Bookings < 2.0.4 - Cross-Site Request Forgery

Description The WooCommerce Bookings plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.3. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to invoke this function...

8.8CVSS6.7AI score0.00256EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.22 views

Youzify < 1.2.3 - Insecure Direct Object Reference

Description The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.2 due to missing validation on a user controlled key. This makes it...

6.5CVSS9.2AI score0.00428EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.13 views

Delete Usermetas < 1.2.0 - Cross-Site Request Forgery

Description The Delete Usermeta plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing nonce validation on the delumetoptionspage function. This makes it possible for unauthenticated attackers to remove user meta for...

4.3CVSS6.7AI score0.00297EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.30 views

Master Slider Pro <= 3.6.5 - Unauthenticated PHP Object Injection

Description The Master Slider Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.5 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable...

9.8CVSS9.1AI score0.00388EPSS
Exploits0References1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.19 views

Tab Ultimate < 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Tab Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS5.9AI score0.00544EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.16 views

Thrive Theme Builder < 3.24.0 - Subscriber+ Privilege Escalation

Description The them is vulnerable to privilege escalation, allowing any authenticated users, such as subscribers to elevate their privileges...

9.4AI score0.00526EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2023/11/23 12:0 a.m.39 views

The Events Calendar < 6.2.8.1 - Unauthenticated Arbitrary Password Protected Post Read

Description The plugin discloses the content of password protected posts to unauthenticated users via a crafted request PoC Append "?view=single-event" to a password protected post, then view the source of the page and find the post content disclosed in...

7.5CVSS6.6AI score0.00776EPSS
Exploits2Affected Software1
Total number of security vulnerabilities14602