Total
3284 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-3230 | 1 Fossbilling | 1 Fossbilling | 2024-08-02 | 7.5 High |
| Missing Authorization in GitHub repository fossbilling/fossbilling prior to 0.5.0. | ||||
| CVE-2023-3204 | 1 Extendthemes | 1 Materialis | 2024-08-02 | 6.5 Medium |
| The Materialis theme for WordPress is vulnerable to limited arbitrary options updates in versions up to, and including, 1.1.24. This is due to missing authorization checks on the companion_disable_popup() function called via an AJAX action. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to modify any option on the site to a numerical value. | ||||
| CVE-2023-3053 | 1 Azexo | 1 Page Builder With Image Map By Azexo | 2024-08-02 | 5.4 Medium |
| The Page Builder by AZEXO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'azh_add_post' function in versions up to, and including, 1.27.133. This makes it possible for authenticated attackers to create a post with any post type and post status. | ||||
| CVE-2023-2945 | 1 Open-emr | 1 Openemr | 2024-08-02 | 5.4 Medium |
| Missing Authorization in GitHub repository openemr/openemr prior to 7.0.1. | ||||
| CVE-2023-2784 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.2 Medium |
| Mattermost fails to verify if the requestor is a sysadmin or not, before allowing `install` requests to the Apps allowing a regular user send install requests to the Apps. | ||||
| CVE-2023-2788 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 6.2 Medium |
| Mattermost fails to check if an admin user account active after an oauth2 flow is started, allowing an attacker with admin privileges to retain persistent access to Mattermost by obtaining an oauth2 access token while the attacker's account is deactivated. | ||||
| CVE-2023-2786 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
| Mattermost fails to properly check the permissions when executing commands allowing a member with no permissions to post a message in a channel to actually post it by executing channel commands. | ||||
| CVE-2023-2787 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 6.5 Medium |
| Mattermost fails to check channel membership when accessing message threads, allowing an attacker to access arbitrary posts by using the message threads API. | ||||
| CVE-2023-2714 | 1 Groundhogg | 1 Groundhogg | 2024-08-02 | 4.3 Medium |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_license' functions in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the license key and support license key, but it can only be changed to a valid license key. | ||||
| CVE-2023-2783 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
| Mattermost Apps Framework fails to verify that a secret provided in the incoming webhook request allowing an attacker to modify the contents of the post sent by the Apps. | ||||
| CVE-2023-2791 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 4.3 Medium |
| When creating a playbook run via the /dialog API, Mattermost fails to validate all parameters, allowing an authenticated attacker to edit an arbitrary channel post. | ||||
| CVE-2023-2715 | 1 Groundhogg | 1 Groundhogg | 2024-08-02 | 4.3 Medium |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers to create a support ticket that sends the website's data to the plugin developer, and it is also possible to create an admin access with an auto login link that is also sent to the plugin developer with the ticket. It only works if the plugin is activated with a valid license. | ||||
| CVE-2023-2716 | 1 Groundhogg | 1 Groundhogg | 2024-08-02 | 5.4 Medium |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload a file to the contact, and then lists all the other uploaded files related to the contact. | ||||
| CVE-2023-2590 | 1 Answer | 1 Answer | 2024-08-02 | 3.5 Low |
| Missing Authorization in GitHub repository answerdev/answer prior to 1.0.9. | ||||
| CVE-2023-2545 | 1 Featherplugins | 1 Feather Login Page | 2024-08-02 | 8.1 High |
| The Feather Login Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'getListOfUsers' function in versions starting from 1.0.7 up to, and including, 1.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to access the login links, which can be used for privilege escalation. | ||||
| CVE-2023-2547 | 1 Featherplugins | 1 Feather Login Page | 2024-08-02 | 5.4 Medium |
| The Feather Login Page plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteUser' function in versions starting from 1.0.7 up to, and including, 1.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the temp user generated by the plugin. | ||||
| CVE-2023-2557 | 1 Pluginus | 1 Wordpress Currency Switcher Professional | 2024-08-02 | 4.3 Medium |
| The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save function in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit an arbitrary custom drop-down currency switcher. | ||||
| CVE-2023-2494 | 1 Granthweb | 1 Go Pricing | 2024-08-02 | 4.6 Medium |
| The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_postdata' function in versions up to, and including, 3.3.19. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin to modify access to the plugin when it should only be the administrator's privilege. | ||||
| CVE-2023-2448 | 1 Userproplugin | 1 Userpro | 2024-08-02 | 6.5 Medium |
| The UserPro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'userpro_shortcode_template' function in versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to arbitrary shortcode execution. An attacker can leverage CVE-2023-2446 to get sensitive information via shortcode. | ||||
| CVE-2023-2434 | 1 Kylephillips | 1 Nested Pages | 2024-08-02 | 3.8 Low |
| The Nested Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'reset' function in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with editor-level permissions and above, to reset plugin settings. | ||||