Total
274572 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-4366 | 1 Magazine3 | 1 Pwa For Wp \& Amp | 2024-12-20 | 6.3 Medium |
| The PWA for WP & AMP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the pwaforwp_update_features_options function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to change the otherwise restricted settings within the plugin. | ||||
| CVE-2019-25148 | 1 Codemiq | 1 Wp Html Mail | 2024-12-20 | 6.1 Medium |
| The WP HTML Mail plugin for WordPress is vulnerable to HTML injection in versions up to, and including, 2.9.0.3 due to insufficient input sanitization. This makes it possible for unauthenticated attackers to inject arbitrary HTML in pages that execute if they can successfully trick a administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-3125 | 1 Webwizards | 1 B2bking | 2024-12-20 | 6.5 Medium |
| The B2BKing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'b2bking_save_price_import' function in versions up to, and including, 4.6.00. This makes it possible for Authenticated attackers with subscriber or customer-level permissions to modify the pricing of any product on the site. | ||||
| CVE-2021-4371 | 1 Pluginmirror | 1 Wp Quick Frontend Editor | 2024-12-20 | 4.3 Medium |
| The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Setting Changs in versions up to, and including, 5.5. This is due to lacking both a security nonce and a capabilities check. This makes it possible for low-authenticated attackers to change plugin settings even when they do not have the capabilities to do so. | ||||
| CVE-2020-36722 | 1 Visualcomposer | 1 Visual Composer Website Builder | 2024-12-20 | 5.5 Medium |
| The Visual Composer plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 26.0 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser. | ||||
| CVE-2023-3126 | 1 Webwizards | 1 B2bking | 2024-12-20 | 4.3 Medium |
| The B2BKing plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'b2bkingdownloadpricelist' function in versions up to, and including, 4.6.00. This makes it possible for Authenticated attackers with subscriber or customer-level permissions to retrieve the full pricing list of all products on the site. | ||||
| CVE-2021-4375 | 1 Collne | 1 Welcart E-commerce | 2024-12-20 | 4.3 Medium |
| The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the usces_download_system_information() function in versions up to, and including, 2.2.7. This makes it possible for authenticated attackers to download information including WordPress settings, plugin settings, PHP settings and server settings. | ||||
| CVE-2021-4376 | 1 Palscode | 1 Woocommerce Multi Currency | 2024-12-20 | 4.3 Medium |
| The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value. | ||||
| CVE-2019-25149 | 1 Robogallery | 1 Gallery Images Ape | 2024-12-20 | 7.6 High |
| The Gallery Images Ape plugin for WordPress is vulnerable to Arbitrary Plugin Deactivation in versions up to, and including, 2.0.6. This allows authenticated attackers with any capability level to deactivate any plugin on the site, including plugins necessary to site functionality or security. | ||||
| CVE-2021-4377 | 1 Wobbie | 1 Doneren Met Mollie | 2024-12-20 | 6.5 Medium |
| The Doneren met Mollie plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.8.5 via the dmm_export_donations() function which is called via the admin_post_dmm_export hook due to missing capability checks. This can allow authenticated attackers to extract a CSV file that contains sensitive information about the donors. | ||||
| CVE-2020-36729 | 1 2joomla | 1 2j Slideshow | 2024-12-20 | 5.4 Medium |
| The 2J-SlideShow Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'twoj_slideshow_setup' function called via the wp_ajax_twoj_slideshow_setup AJAX action in versions up to, and including, 1.3.31. This makes it possible for authenticated attackers (Subscriber, or above level access) to allow attackers to perform otherwise restricted actions and subsequently deactivate any plugins on the blog. | ||||
| CVE-2019-25151 | 1 Cartflows | 1 Cartflows | 2024-12-20 | 5.4 Medium |
| The Funnel Builder plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the activate_plugin function in versions up to, and including, 1.3.0. This makes it possible for authenticated attackers to activate any plugin on the vulnerable service. | ||||
| CVE-2021-4383 | 1 Webdevocean | 1 Wp Quick Frontend Editor | 2024-12-20 | 8.1 High |
| The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to page content injection in versions up to, and including, 5.5. This is due to missing capability checks in the plugin's page-editing functionality. This makes it possible for low-authenticated attackers, such as subscribers, to edit/create any page or post on the blog. | ||||
| CVE-2021-4379 | 1 Villatheme | 1 Woocommerce Multi Currency | 2024-12-20 | 6.5 Medium |
| The WooCommerce Multi Currency plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wmc_bulk_fixed_price function in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to make changes to product prices. | ||||
| CVE-2023-0831 | 1 Webfactoryltd | 1 Under Construction | 2024-12-20 | 4.3 Medium |
| The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the dismiss_notice function called via the admin_action_ucp_dismiss_notice action. This makes it possible for unauthenticated attackers to dismiss plugin notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-2084 | 1 Wpdeveloper | 1 Essential Blocks | 2024-12-20 | 4.3 Medium |
| The Essential Blocks plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the get function in versions up to, and including, 4.0.6. This makes it possible for subscriber-level attackers to obtain plugin settings. While a nonce check is present, it is only executed when a nonce is provided. Not providing a nonce results in the nonce verification to be skipped. There is no capability check. | ||||
| CVE-2023-2764 | 1 Nsqua | 1 Draw Attention | 2024-12-20 | 4.3 Medium |
| The Draw Attention plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_set_featured_image function in versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the featured image of arbitrary posts with an image that exists in the media library. | ||||
| CVE-2023-0694 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2024-12-20 | 6.5 Medium |
| The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about any standard form field of any form submission. | ||||
| CVE-2023-0695 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2024-12-20 | 5.4 Medium |
| The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a specific link. Note that getting the JavaScript to execute still requires user interaction as the victim must visit a crafted link with the form entry id, but the script itself is stored in the site database. | ||||
| CVE-2023-0709 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2024-12-20 | 5.4 Medium |
| The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf_last_name' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a a page containing the shortcode when the submission id is present in the query string. Note that getting the JavaScript to execute requires user interaction as the victim must visit a crafted link with the form entry id, but the script itself is stored in the site database. | ||||