Total
274571 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-2556 | 1 Pluginus | 1 Wordpress Currency Switcher | 2024-12-20 | 4.3 Medium |
| The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the anonymous function for the wpcs_sd_delete action in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete an arbitrary custom drop-down currency switcher. | ||||
| CVE-2023-2891 | 1 Wpeasycart | 1 Wp Easycart | 2024-12-20 | 6.5 Medium |
| The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_delete_product function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-1807 | 1 Staxwp | 1 Stax | 2024-12-20 | 4.3 Medium |
| The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.3. This is due to missing or incorrect nonce validation on the toggle_widget function. This makes it possible for unauthenticated attackers to enable or disable Elementor widgets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-1169 | 1 Ooohboi Steroids For Elementor Project | 1 Ooohboi Steroids For Elementor | 2024-12-20 | 4.3 Medium |
| The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to missing authorization due to a missing capability check on the 'file_uploader_callback' function in versions up to, and including, 2.1.4. This makes it possible for subscriber-level attackers to upload image attachments to the site. | ||||
| CVE-2023-0292 | 1 Expresstech | 1 Quiz And Survey Master | 2024-12-20 | 5.4 Medium |
| The Quiz And Survey Master plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0.8. This is due to missing nonce validation on the function associated with the qsm_remove_file_fd_question AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary media files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-2066 | 1 Bulletin | 1 Announcement \& Notification Banner - Bulletin | 2024-12-20 | 6.3 Medium |
| The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'bulletinwp_update_bulletin_status', 'bulletinwp_update_bulletin', 'bulletinwp_update_settings', 'bulletinwp_update_status', 'bulletinwp_export_bulletins', and 'bulletinwp_import_bulletins' functions functions in versions up to, and including, 3.6.0. This makes it possible for authenticated attackers with subscriber-level access, and above, to modify the plugin's settings, modify bulletins, create new bulletins, and more. | ||||
| CVE-2023-2087 | 1 Wpdeveloper | 1 Essential Blocks | 2024-12-20 | 4.3 Medium |
| The Essential Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.0.6. This is due to missing or incorrect nonce validation on the save function. This makes it possible for unauthenticated attackers to change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-2557 | 1 Pluginus | 1 Wordpress Currency Switcher Professional | 2024-12-20 | 4.3 Medium |
| The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save function in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit an arbitrary custom drop-down currency switcher. | ||||
| CVE-2023-2555 | 1 Pluginus | 1 Wordpress Currency Switcher Professional | 2024-12-20 | 4.3 Medium |
| The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create function in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to create a custom drop-down currency switcher. | ||||
| CVE-2023-0692 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2024-12-20 | 4.3 Medium |
| The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_payment_status' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the payment status of arbitrary form submissions. | ||||
| CVE-2023-2895 | 1 Wpeasycart | 1 Wp Easycart | 2024-12-20 | 4.3 Medium |
| The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_activate_product function. This makes it possible for unauthenticated attackers to bulk activate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-2896 | 1 Wpeasycart | 1 Wp Easycart | 2024-12-20 | 4.3 Medium |
| The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_duplicate_product function. This makes it possible for unauthenticated attackers to duplicate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-2893 | 1 Wpeasycart | 1 Wp Easycart | 2024-12-20 | 4.3 Medium |
| The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_deactivate_product function. This makes it possible for unauthenticated attackers to deactivate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-2894 | 1 Wpeasycart | 1 Wp Easycart | 2024-12-20 | 4.3 Medium |
| The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_deactivate_product function. This makes it possible for unauthenticated attackers to bulk deactivate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-2897 | 1 Brizy | 1 Brizy | 2024-12-20 | 3.7 Low |
| The Brizy Page Builder plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.4.18. This is due to an implicit trust of user-supplied IP addresses in an 'X-Forwarded-For' HTTP header for the purpose of validating allowed IP addresses against a Maintenance Mode whitelist. Supplying a whitelisted IP address within the 'X-Forwarded-For' header allows maintenance mode to be bypassed and may result in the disclosure of potentially sensitive information or allow access to restricted functionality. | ||||
| CVE-2023-2892 | 1 Wpeasycart | 1 Wp Easycart | 2024-12-20 | 6.5 Medium |
| The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_delete_product function. This makes it possible for unauthenticated attackers to bulk delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-2285 | 1 Wpwhitesecurity | 1 Wp Activity Log | 2024-12-20 | 4.3 Medium |
| The WP Activity Log Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. This is due to missing or incorrect nonce validation on the ajax_switch_db function. This makes it possible for unauthenticated attackers to make changes to the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-2284 | 1 Wpwhitesecurity | 1 Wp Activity Log | 2024-12-20 | 4.3 Medium |
| The WP Activity Log Premium plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_switch_db function in versions up to, and including, 4.5.0. This makes it possible for authenticated attackers with subscriber-level or higher to make changes to the plugin's settings. | ||||
| CVE-2023-2261 | 1 Wpwhitesecurity | 1 Wp Activity Log | 2024-12-20 | 4.3 Medium |
| The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_ajax_call function in versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with subscriber-level access or higher, to obtain a list of users with accounts on the site. This includes ids, usernames and emails. | ||||
| CVE-2024-12845 | 2024-12-20 | 3.5 Low | ||
| A vulnerability classified as problematic was found in Emlog Pro up to 2.4.1. Affected by this vulnerability is an unknown functionality in the library /include/lib/common.php. The manipulation of the argument msg leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||