Total
3284 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6020 | 1 Ray Project | 1 Ray | 2024-08-02 | 7.5 High |
| LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. | ||||
| CVE-2023-6066 | 1 Kishorkhambu | 1 Wp Custom Widget Area | 2024-08-02 | 4.3 Medium |
| The WP Custom Widget area WordPress plugin through 1.2.5 does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site. | ||||
| CVE-2023-6007 | 1 Userproplugin | 1 Userpro | 2024-08-02 | 7.3 High |
| The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options. | ||||
| CVE-2023-5949 | 1 Wpmudev | 1 Smartcrawl | 2024-08-02 | 7.5 High |
| The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthorised users from accessing password-protected posts' content. | ||||
| CVE-2023-5877 | 1 Servit | 1 Affiliate-toolkit | 2024-08-02 | 9.8 Critical |
| The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue. | ||||
| CVE-2023-5905 | 1 Demomentsomtres | 1 Export Posts With Images | 2024-08-02 | 8.1 High |
| The DeMomentSomTres WordPress Export Posts With Images WordPress plugin through 20220825 does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog, including restricted and unpublished posts, as well as passwords of protected posts. | ||||
| CVE-2023-5712 | 1 Bowo | 1 System Dashboard | 2024-08-02 | 4.3 Medium |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_global_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive global value information. | ||||
| CVE-2023-5737 | 1 Webtoffee | 1 Backup And Migration | 2024-08-02 | 4.3 Medium |
| The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings. | ||||
| CVE-2023-5711 | 1 Bowo | 1 System Dashboard | 2024-08-02 | 4.3 Medium |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_php_info() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information provided by PHP info. | ||||
| CVE-2023-5611 | 1 Seraphinitesolutions | 1 Seraphinite Accelerator | 2024-08-02 | 5.3 Medium |
| The Seraphinite Accelerator WordPress plugin before 2.20.32 does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them | ||||
| CVE-2023-5710 | 1 Bowo | 1 System Dashboard | 2024-08-02 | 4.3 Medium |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_constants() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information such as database credentials. | ||||
| CVE-2023-5714 | 1 Bowo | 1 System Dashboard | 2024-08-02 | 4.3 Medium |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_db_specs() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve data key specs. | ||||
| CVE-2023-5713 | 1 Bowo | 1 System Dashboard | 2024-08-02 | 4.3 Medium |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_option_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve potentially sensitive option values, and deserialize the content of those values. | ||||
| CVE-2023-5533 | 1 Quantumcloud | 1 Ai Chatbot | 2024-08-02 | 5.3 Medium |
| The AI ChatBot plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to missing capability checks on the corresponding functions in versions up to, and including, 4.8.9 as well as 4.9.2. This makes it possible for unauthenticated attackers to perform some of those actions that were intended for higher privileged users. | ||||
| CVE-2023-5415 | 1 Funnelforms | 1 Funnelforms | 2024-08-02 | 4.3 Medium |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_add_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to add new categories. | ||||
| CVE-2023-5454 | 1 Templately | 1 Templately | 2024-08-02 | 7.5 High |
| The Templately WordPress plugin before 2.2.6 does not properly authorize the `saved-templates/delete` REST API call, allowing unauthenticated users to delete arbitrary posts. | ||||
| CVE-2023-5506 | 1 Imagemapper Project | 1 Imagemapper | 2024-08-02 | 5.4 Medium |
| The ImageMapper plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'imgmap_delete_area_ajax' function in versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts and pages. | ||||
| CVE-2023-5411 | 1 Funnelforms | 1 Funnelforms | 2024-08-02 | 4.3 Medium |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_save_post function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify certain post values. Note that the extent of modification is limited due to fixed values passed to the wp_update_post function. | ||||
| CVE-2023-5419 | 1 Funnelforms | 1 Funnelforms | 2024-08-02 | 4.3 Medium |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_test_mail function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to send test emails to an arbitrary email address. | ||||
| CVE-2023-5417 | 1 Funnelforms | 1 Funnelforms | 2024-08-02 | 4.3 Medium |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_update_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the Funnelforms category for a given post ID. | ||||