8 matches found
CVE-2023-41870
CVE-2023-41870 affects the WP Crowdfunding plugin by Themeum (WordPress) up to version 2.1.5. The issue is a Missing Authorization/Improper Access Control vulnerability caused by incorrectly configured access control security levels, enabling unauthorized access to restricted areas. Red Hat and P...
CVE-2023-6161
The WP Crowdfunding WordPress plugin prior to 2.1.9 is affected by a Reflected Cross-Site Scripting (XSS) flaw: it does not sanitize/escape an input parameter before echoing it back in the page, enabling injection that could affect high-privilege accounts (e.g., admins). Technical details across ...
CVE-2023-6163
CVE-2023-6163 affects the WP Crowdfunding WordPress plugin prior to 2.1.10, where some settings are not sanitised/escaped. This can allow high-privilege users (e.g., admins) to perform Stored XSS, including in multisite environments, via vulnerable settings such as Crowdfunding > Settings >...
CVE-2023-5757
The CVE-2023-5757 issue affects the WP Crowdfunding WordPress plugin
CVE-2024-10117
CVE-2024-10117 concerns the WP Crowdfunding plugin for WordPress. A stored XSS flaw exists in the wpcf_donate shortcode across all versions up to and including 2.1.11, caused by insufficient input sanitization and output escaping for user-supplied attributes. Exploitation requires authenticated a...
CVE-2024-11910
CVE-2024-11910 affects the WP Crowdfunding plugin for WordPress. It enables Stored XSS via the wp-crowdfunding/search block in all versions up to 2.1.12, exploitable by authenticated attackers with Contributor-level access or higher. The root cause is insufficient input sanitization and output es...
CVE-2024-43937
CVE-2024-43937 corresponds to a Missing Authorization vulnerability in WP Crowdfunding (Themeum) affecting WP Crowdfunding versions n/a through 2.1.10. Connected sources (PT-2024-30798) describe the issue as an unauthorized access/configuration flaw that lets attackers enable/disable addons due t...
CVE-2024-11911
CVE-2024-11911 concerns the WP Crowdfunding plugin for WordPress. A missing capability check in the install_woocommerce_plugin() action allows authenticated users with Subscriber+ rights to install WooCommerce on all versions up to 2.1.12. Impact is limited since WooCommerce is typically required...