Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): Wordpress
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2021-4412 |
The WP Prayer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.5. This is due to missing or incorrect nonce validation on the save() and export() functions. This makes it possible for unauthenticated attackers to save plugin settings and trigger a data export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: July 12, 2023; 12:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2021-4411 |
The WP EasyPay – Square for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the wpep_download_transaction_in_excel() function. This makes it possible for unauthenticated attackers to trigger a transactions download via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: July 12, 2023; 12:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2021-4410 |
The Qtranslate Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.18. This is due to missing or incorrect nonce validation on the save_postdata() function. This makes it possible for unauthenticated attackers to save post data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: July 12, 2023; 12:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2021-4409 |
The WooCommerce Etsy Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the etcpf_delete_feed() function. This makes it possible for unauthenticated attackers to delete an export feed via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: July 12, 2023; 12:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2021-4408 |
The DW Question & Answer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.8. This is due to missing or incorrect nonce validation on the update_answer() function. This makes it possible for unauthenticated attackers to update answers to questions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: July 12, 2023; 12:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2021-4407 |
The Custom Banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.2 This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to save custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: July 12, 2023; 12:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2020-36750 |
The EWWW Image Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.8.1. This is due to missing or incorrect nonce validation on the ewww_ngg_bulk_init() function. This makes it possible for unauthenticated attackers to perform bulk image optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: July 12, 2023; 12:15:10 AM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-34029 |
Cross-Site Request Forgery (CSRF) vulnerability in Prem Tiwari Disable WordPress Update Notifications and auto-update Email Notifications plugin <= 2.3.3 versions. Published: July 11, 2023; 9:15:09 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-25706 |
Cross-Site Request Forgery (CSRF) vulnerability in Pagup WordPress Robots.Txt optimization plugin <= 1.4.5 versions. Published: July 11, 2023; 9:15:09 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-34185 |
Cross-Site Request Forgery (CSRF) vulnerability in John Brien WordPress NextGen GalleryView plugin <= 0.5.5 versions. Published: July 11, 2023; 8:15:09 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-37391 |
Cross-Site Request Forgery (CSRF) vulnerability in WPMobilePack.Com WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps plugin <= 3.4.1 versions. Published: July 11, 2023; 6:15:11 AM -0400 |
V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2022-45823 |
Cross-Site Request Forgery (CSRF) vulnerability in GalleryPlugins Video Contest WordPress plugin <= 3.2 versions. Published: July 11, 2023; 4:15:09 AM -0400 |
V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-2079 |
The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for unauthenticated attackers to update the plugins settings, via a forged request granted the attacker can trick a site's administrator into performing an action such as clicking on a link. Published: July 10, 2023; 11:15:09 PM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-2078 |
The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to update the plugins settings. CVE-2023-25030 may be a duplicate of this issue. Published: July 10, 2023; 11:15:09 PM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-3225 |
The Float menu WordPress plugin before 5.0.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: July 10, 2023; 12:15:55 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-3219 |
The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post. Published: July 10, 2023; 12:15:55 PM -0400 |
V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2023-3209 |
The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both. Published: July 10, 2023; 12:15:55 PM -0400 |
V3.1: 3.5 LOW V2.0:(not available) |
CVE-2023-3175 |
The AI ChatBot WordPress plugin before 4.6.1 does not adequately escape some settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. Published: July 10, 2023; 12:15:55 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
CVE-2023-3131 |
The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both. Published: July 10, 2023; 12:15:55 PM -0400 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
CVE-2023-3129 |
The URL Shortify WordPress plugin before 1.7.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) Published: July 10, 2023; 12:15:55 PM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |