| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The ElasticPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the epio_send_autosuggest_allowed() function. This makes it possible for unauthenticated attackers to send allowed parameters for autosuggest to elasticpress[.]io via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Event Espresso 4 Decaf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.10.11. This is due to missing or incorrect nonce validation on the ajaxHandler() function. This makes it possible for unauthenticated attackers to op into notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Remove Schema plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the validate() function. This makes it possible for unauthenticated attackers to modify the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Multiple Roles plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the mu_add_roles_in_signup_meta() and mu_add_roles_in_signup_meta_recently() functions. This makes it possible for unauthenticated attackers to add additional roles to users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.0. This is due to missing or incorrect nonce validation on the update_posts_stylekit() function. This makes it possible for unauthenticated attackers to update style kits for posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the bsearch_process_settings_import() and bsearch_process_settings_export() functions. This makes it possible for unauthenticated attackers to import and export settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Edwiser Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,2.0.6. This is due to missing or incorrect nonce validation on the user_data_synchronization_initiater(), course_synchronization_initiater(), users_link_to_moodle_synchronization(), connection_test_initiater(), admin_menus(), and subscribe_handler() function. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Amministrazione Trasparente plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.1. This is due to missing or incorrect nonce validation on the at_save_aturl_meta() function. This makes it possible for unauthenticated attackers to update meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Staff Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to save custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Rucy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.4.4. This is due to missing or incorrect nonce validation on the save_rc_post_meta() function. This makes it possible for unauthenticated attackers to save post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Abandoned Cart Recovery for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the get_items() and extra_tablenav() functions. This makes it possible for unauthenticated attackers to perform read-only actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Locations plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.1. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to update custom field meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Opal Estate plugin for WordPress is vulnerable to featured property modifications in versions up to, and including, 1.6.11. This is due to missing capability checks on the opalestate_set_feature_property() and opalestate_remove_feature_property() functions. This makes it possible for unauthenticated attackers to set and remove featured properties. |
| The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Options Change by using the flo_import_forms_options AJAX action in versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping along with missing capability checks. This makes it possible for authenticated attackers, like subscribers, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_add_job_import_schedule_call() function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to add and/or modify schedule calls. |
| The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 5.5 due to insufficient input sanitization and output escaping on the 'save_content_front' function that uses print_r on the user-supplied $_REQUEST values . This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |
| The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_job_integrations_settin_save AJAX action in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to update arbitrary options on the site. |
| The Controlled Admin Access plugin for WordPress is vulnerable to Privilege Escalation in versions up to, and including, 1.5.5 by not properly restricting access to the configuration page. This makes it possible for attackers to create a new administrator role with unrestricted access. |
| The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 18.2. This is due to lacking authentication protections and lacking a security nonce on the wpfm_delete_file AJAX action. This makes it possible for unauthenticated attackers to delete any posts and pages on the site. |
| The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 3.1.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
