Filtered by vendor Webfactoryltd
Subscriptions
Total
23 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-0831 | 1 Webfactoryltd | 1 Under Construction | 2024-12-20 | 4.3 Medium |
The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the dismiss_notice function called via the admin_action_ucp_dismiss_notice action. This makes it possible for unauthenticated attackers to dismiss plugin notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
CVE-2023-0832 | 1 Webfactoryltd | 1 Under Construction | 2024-12-20 | 4.3 Medium |
The Under Construction plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.96. This is due to missing or incorrect nonce validation on the install_weglot function called via the admin_action_install_weglot action. This makes it possible for unauthenticated attackers to perform an unauthorized install of the Weglot Translate plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
CVE-2024-5770 | 1 Webfactoryltd | 1 Wp Force Ssl | 2024-11-21 | 4.2 Medium |
The WP Force SSL & HTTPS SSL Redirect plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_setting' function in versions up to, and including, 1.66. This makes it possible for authenticated attackers, subscriber-level permissions and above, to update the plugin settings. | ||||
CVE-2024-5087 | 1 Webfactoryltd | 1 Minimal Coming Soon \& Maintenance Mode | 2024-11-21 | 6.3 Medium |
The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the validate_ajax, deactivate_ajax, and save_ajax functions in all versions up to, and including, 2.38. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the license key, which could disable features of the plugin. | ||||
CVE-2024-4661 | 1 Webfactoryltd | 1 Wp Reset | 2024-11-21 | 4.3 Medium |
The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_ajax function in all versions up to, and including, 2.02. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the value fo the 'License Key' field for the 'Activate Pro License' setting. | ||||
CVE-2024-1075 | 1 Webfactoryltd | 1 Minimal Coming Soon \& Maintenance Mode | 2024-11-21 | 3.7 Low |
The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden. | ||||
CVE-2023-50837 | 1 Webfactoryltd | 1 Wp Login Lockdown | 2024-11-21 | 7.6 High |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WebFactory Ltd Login Lockdown – Protect Login Form.This issue affects Login Lockdown – Protect Login Form: from n/a through 2.06. | ||||
CVE-2023-49747 | 1 Webfactoryltd | 1 Guest Author | 2024-11-21 | 5.9 Medium |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebFactory Ltd Guest Author allows Stored XSS.This issue affects Guest Author: from n/a through 2.3. | ||||
CVE-2023-3601 | 1 Webfactoryltd | 1 Simple Author Box | 2024-11-21 | 4.3 Medium |
The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor. | ||||
CVE-2023-1913 | 1 Webfactoryltd | 1 Maps Widget For Google Maps | 2024-11-21 | 4.4 Medium |
The Maps Widget for Google Maps for WordPress is vulnerable to Stored Cross-Site Scripting via widget settings in versions up to, and including, 4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
CVE-2022-1583 | 1 Webfactoryltd | 1 External Links In New Window \/ New Tab | 2024-11-21 | 6.5 Medium |
The External Links in New Window / New Tab WordPress plugin before 1.43 does not ensure window.opener is set to "null" when links to external sites are clicked, which may enable tabnabbing attacks to occur. | ||||
CVE-2022-1582 | 1 Webfactoryltd | 1 External Links In New Window \/ New Tab | 2024-11-21 | 6.1 Medium |
The External Links in New Window / New Tab WordPress plugin before 1.43 does not properly escape URLs it concatenates to onclick event handlers, which makes Stored Cross-Site Scripting attacks possible. | ||||
CVE-2021-36909 | 1 Webfactoryltd | 1 Wp Reset Pro | 2024-11-21 | 8.8 High |
Authenticated Database Reset vulnerability in WordPress WP Reset PRO Premium plugin (versions <= 5.98) allows any authenticated user to wipe the entire database regardless of their authorization. It leads to a complete website reset and takeover. | ||||
CVE-2021-36908 | 1 Webfactoryltd | 1 Wp Reset Pro | 2024-11-21 | 8.8 High |
Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions. | ||||
CVE-2021-24533 | 1 Webfactoryltd | 1 Maintenance | 2024-11-21 | 4.8 Medium |
The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend | ||||
CVE-2021-24424 | 1 Webfactoryltd | 1 Wp Reset | 2024-11-21 | 5.4 Medium |
The WP Reset – Most Advanced WordPress Reset Tool WordPress plugin before 1.90 did not sanitise or escape its extra_data parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | ||||
CVE-2021-24142 | 1 Webfactoryltd | 1 301 Redirects | 2024-11-21 | 7.2 High |
Unvaludated input in the 301 Redirects - Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections. | ||||
CVE-2020-7048 | 1 Webfactoryltd | 1 Wp Database Reset | 2024-11-21 | 9.1 Critical |
The WordPress plugin, WP Database Reset through 3.1, contains a flaw that allowed any unauthenticated user to reset any table in the database to the initial WordPress set-up state (deleting all site content stored in that table), as demonstrated by a wp-admin/admin-post.php?db-reset-tables[]=comments URI. | ||||
CVE-2020-7047 | 1 Webfactoryltd | 1 Wp Database Reset | 2024-11-21 | 8.8 High |
The WordPress plugin, WP Database Reset through 3.1, contains a flaw that gave any authenticated user, with minimal permissions, the ability (with a simple wp-admin/admin.php?db-reset-tables[]=users request) to escalate their privileges to administrator while dropping all other users from the table. | ||||
CVE-2020-6168 | 1 Webfactoryltd | 1 Minimal Coming Soon \& Maintenance Mode | 2024-11-21 | 7.6 High |
A flaw in the WordPress plugin, Minimal Coming Soon & Maintenance Mode through 2.10, allows authenticated users with basic access to enable and disable maintenance-mode settings (impacting the availability and confidentiality of a vulnerable site, along with the integrity of the setting). |