Filtered by vendor Webfactoryltd Subscriptions
Total 23 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-0831 1 Webfactoryltd 1 Under Construction 2024-12-20 4.3 Medium
The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the dismiss_notice function called via the admin_action_ucp_dismiss_notice action. This makes it possible for unauthenticated attackers to dismiss plugin notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2023-0832 1 Webfactoryltd 1 Under Construction 2024-12-20 4.3 Medium
The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the install_weglot function called via the admin_action_install_weglot action. This makes it possible for unauthenticated attackers to perform an unauthorized install of the Weglot Translate plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-5770 1 Webfactoryltd 1 Wp Force Ssl 2024-11-21 4.2 Medium
The WP Force SSL & HTTPS SSL Redirect plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_setting' function in versions up to, and including, 1.66. This makes it possible for authenticated attackers, subscriber-level permissions and above, to update the plugin settings.
CVE-2024-5087 1 Webfactoryltd 1 Minimal Coming Soon \& Maintenance Mode 2024-11-21 6.3 Medium
The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the validate_ajax, deactivate_ajax, and save_ajax functions in all versions up to, and including, 2.38. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the license key, which could disable features of the plugin.
CVE-2024-4661 1 Webfactoryltd 1 Wp Reset 2024-11-21 4.3 Medium
The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_ajax function in all versions up to, and including, 2.02. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the value fo the 'License Key' field for the 'Activate Pro License' setting.
CVE-2024-1075 1 Webfactoryltd 1 Minimal Coming Soon \& Maintenance Mode 2024-11-21 3.7 Low
The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden.
CVE-2023-50837 1 Webfactoryltd 1 Wp Login Lockdown 2024-11-21 7.6 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WebFactory Ltd Login Lockdown – Protect Login Form.This issue affects Login Lockdown – Protect Login Form: from n/a through 2.06.
CVE-2023-49747 1 Webfactoryltd 1 Guest Author 2024-11-21 5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebFactory Ltd Guest Author allows Stored XSS.This issue affects Guest Author: from n/a through 2.3.
CVE-2023-3601 1 Webfactoryltd 1 Simple Author Box 2024-11-21 4.3 Medium
The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor.
CVE-2023-1913 1 Webfactoryltd 1 Maps Widget For Google Maps 2024-11-21 4.4 Medium
The Maps Widget for Google Maps for WordPress is vulnerable to Stored Cross-Site Scripting via widget settings in versions up to, and including, 4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2022-1583 1 Webfactoryltd 1 External Links In New Window \/ New Tab 2024-11-21 6.5 Medium
The External Links in New Window / New Tab WordPress plugin before 1.43 does not ensure window.opener is set to "null" when links to external sites are clicked, which may enable tabnabbing attacks to occur.
CVE-2022-1582 1 Webfactoryltd 1 External Links In New Window \/ New Tab 2024-11-21 6.1 Medium
The External Links in New Window / New Tab WordPress plugin before 1.43 does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible.
CVE-2021-36909 1 Webfactoryltd 1 Wp Reset Pro 2024-11-21 8.8 High
Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows any authenticated user to wipe the entire database regardless of their authorization. It leads to a complete website reset and takeover.
CVE-2021-36908 1 Webfactoryltd 1 Wp Reset Pro 2024-11-21 8.8 High
Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions.
CVE-2021-24533 1 Webfactoryltd 1 Maintenance 2024-11-21 4.8 Medium
The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend
CVE-2021-24424 1 Webfactoryltd 1 Wp Reset 2024-11-21 5.4 Medium
The WP Reset – Most Advanced WordPress Reset Tool WordPress plugin before 1.90 did not sanitise or escape its extra_data parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue
CVE-2021-24142 1 Webfactoryltd 1 301 Redirects 2024-11-21 7.2 High
Unvaludated input in the 301 Redirects - Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections.
CVE-2020-7048 1 Webfactoryltd 1 Wp Database Reset 2024-11-21 9.1 Critical
The WordPress plugin, WP Database Reset through 3.1, contains a flaw that allowed any unauthenticated user to reset any table in the database to the initial WordPress set-up state (deleting all site content stored in that table), as demonstrated by a wp-admin/admin-post.php?db-reset-tables[]=comments URI.
CVE-2020-7047 1 Webfactoryltd 1 Wp Database Reset 2024-11-21 8.8 High
The WordPress plugin, WP Database Reset through 3.1, contains a flaw that gave any authenticated user, with minimal permissions, the ability (with a simple wp-admin/admin.php?db-reset-tables[]=users request) to escalate their privileges to administrator while dropping all other users from the table.
CVE-2020-6168 1 Webfactoryltd 1 Minimal Coming Soon \& Maintenance Mode 2024-11-21 7.6 High
A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows authenticated users with basic access to enable and disable maintenance-mode settings (impacting the availability and confidentiality of a vulnerable site, along with the integrity of the setting).