Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2024-3490 |
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wprm-recipe-roundup-item shortcode in all versions up to, and including, 9.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: May 02, 2024; 3:15:22 AM -0400 |
V3.1: 6.4 MEDIUM V2.0:(not available) |
CVE-2024-3481 |
The Counter Box WordPress plugin before 1.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via CSRF attacks Published: May 02, 2024; 2:15:51 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3478 |
The Herd Effects WordPress plugin before 5.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting effects via CSRF attacks Published: May 02, 2024; 2:15:51 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3477 |
The Popup Box WordPress plugin before 2.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via CSRF attacks Published: May 02, 2024; 2:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3476 |
The Side Menu Lite WordPress plugin before 4.2.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks Published: May 02, 2024; 2:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3475 |
The Sticky Buttons WordPress plugin before 3.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks Published: May 02, 2024; 2:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3474 |
The Wow Skype Buttons WordPress plugin before 4.0.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks Published: May 02, 2024; 2:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3472 |
The Modal Window WordPress plugin before 5.3.10 does not have CSRF check in place when bulk deleting modals, which could allow attackers to make a logged in admin delete them via a CSRF attack Published: May 02, 2024; 2:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-3471 |
The Button Generator WordPress plugin before 3.0 does not have CSRF check in place when bulk deleting, which could allow attackers to make a logged in admin delete buttons via a CSRF attack Published: May 02, 2024; 2:15:50 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-2405 |
The Float menu WordPress plugin before 6.0.1 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack. Published: May 02, 2024; 2:15:49 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-0334 |
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attribute of a link in several Elementor widgets in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: May 01, 2024; 9:15:48 AM -0400 |
V3.1: 6.4 MEDIUM V2.0:(not available) |
CVE-2024-3591 |
The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog. Published: May 01, 2024; 2:15:21 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-4185 |
The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Email Verification and Authentication Bypass in all versions up to, and including, 2.7.4 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification, and if both the "Login the user automatically after the account is verified" and "Verify account for current users" options are checked, then it potentially makes it possible for attackers to bypass authentication for other users. Published: April 30, 2024; 5:15:07 AM -0400 |
V3.1: 8.1 HIGH V2.0:(not available) |
CVE-2024-3072 |
The ACF Front End Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_texts() function in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post title, content, and ACF data. Published: April 30, 2024; 5:15:07 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2024-2663 |
The ZD YouTube FLV Player plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.6 via the $_GET['image'] parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Published: April 30, 2024; 5:15:07 AM -0400 |
V3.1: 8.3 HIGH V2.0:(not available) |
CVE-2024-1895 |
The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.4 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Published: April 30, 2024; 5:15:06 AM -0400 |
V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2024-1371 |
The LeadConnector plugin for WordPress is vulnerable to unauthorized modification & loss of data due to a missing capability check on the lc_public_api_proxy() function in all versions up to, and including, 1.7. This makes it possible for unauthenticated attackers to delete arbitrary posts. Published: April 29, 2024; 11:15:06 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-0216 |
The Google Doc Embedder plugin for WordPress is vulnerable to Server Side Request Forgery via the 'gview' shortcode in versions up to, and including, 2.6.4. This can allow authenticated attackers with contributor-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Published: April 29, 2024; 10:15:06 PM -0400 |
V3.1: 6.4 MEDIUM V2.0:(not available) |
CVE-2024-2505 |
The GamiPress WordPress plugin before 6.8.9's access control mechanism fails to properly restrict access to its settings, permitting Authors to manipulate requests and extend access to lower privileged users, like Subscribers, despite initial settings prohibiting such access. This vulnerability resembles broken access control, enabling unauthorized users to modify critical GamiPress WordPress plugin before 6.8.9 configurations. Published: April 29, 2024; 2:15:07 AM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-1905 |
The Smart Forms WordPress plugin before 2.6.96 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: April 29, 2024; 2:15:07 AM -0400 |
V3.x:(not available) V2.0:(not available) |