Total
5353 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-4370 | 1 Stylemixthemes | 1 Ulisting | 2024-12-28 | 9.8 Critical |
| The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to conduct numerous administrative actions, including those less critical than the explicitly outlined ones in our detection. | ||||
| CVE-2021-4374 | 1 Valvepress | 1 Wordpress Automatic Plugin | 2024-12-28 | 9.1 Critical |
| The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing authorization and option validation in the process_form.php file. This makes it possible for unauthenticated attackers to arbitrarily update the settings of a vulnerable site and ultimately compromise the entire site. | ||||
| CVE-2020-36730 | 1 Niteothemes | 1 Cmp | 2024-12-28 | 8.3 High |
| The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmp_get_post_detail(), niteo_export_csv(), and cmp_disable_comingsoon_ajax() functions in versions up to, and including, 3.8.1. This makes it possible for unauthenticated attackers to read posts, export subscriber lists, and/or deactivate the plugin. | ||||
| CVE-2021-4381 | 1 Stylemixthemes | 1 Ulisting | 2024-12-28 | 9.8 Critical |
| The uListing plugin for WordPress is vulnerable to authorization bypass via wp_route due to missing capability checks, and a missing security nonce, in the StmListingSingleLayout::import_new_layout method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database. | ||||
| CVE-2024-12558 | 2024-12-28 | 6.5 Medium | ||
| The WP BASE Booking of Appointments, Services and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive information from the database, such as the hashed administrator password. | ||||
| CVE-2024-0984 | 1 Imagerecycle | 1 Imagerecycle Pdf \& Image Compression | 2024-12-27 | 4.3 Medium |
| The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disableOptimization function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to disable the image optimization setting. | ||||
| CVE-2024-0983 | 1 Imagerecycle | 1 Imagerecycle Pdf \& Image Compression | 2024-12-27 | 4.3 Medium |
| The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enableOptimization function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to enable image optimization. | ||||
| CVE-2024-1091 | 1 Imagerecycle | 1 Imagerecycle Pdf \& Image Compression | 2024-12-27 | 4.3 Medium |
| The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reinitialize function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to remove all plugin data. | ||||
| CVE-2024-1089 | 1 Imagerecycle | 1 Imagerecycle Pdf \& Image Compression | 2024-12-27 | 4.3 Medium |
| The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the optimizeAllOn function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify image optimization settings. | ||||
| CVE-2024-12413 | 2024-12-27 | 5.3 Medium | ||
| The MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions like 'marketking_delete_team_member', 'marketkingrejectuser', 'marketking_save_profile_settings', and many more in all versions up to, and including, 2.0.00. This makes it possible for unauthenticated attackers to delete users, update settings, approve users, and more. | ||||
| CVE-2024-12190 | 2024-12-27 | 4.3 Medium | ||
| The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the bitform-form-entry-edit endpoint in all versions up to, and including, 2.17.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all form submissions from other users. | ||||
| CVE-2024-11281 | 2024-12-26 | 9.8 Critical | ||
| The WooCommerce Point of Sale plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0. This is due to insufficient validation on the 'logged_in_user_id' value when option values are empty and the ability for attackers to change the email of arbitrary user accounts. This makes it possible for unauthenticated attackers to change the email of arbitrary user accounts, including administrators, and reset their password to gain access to the account. | ||||
| CVE-2023-36504 | 1 Bbsetheme | 1 Bbs E-popup | 2024-12-26 | 6.5 Medium |
| Missing Authorization vulnerability in BBS e-Theme BBS e-Popup.This issue affects BBS e-Popup: from n/a through 2.4.5. | ||||
| CVE-2024-12266 | 2024-12-24 | 6.5 Medium | ||
| The ELEX WooCommerce Dynamic Pricing and Discounts plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the elex_dp_export_rules() and elex_dp_import_rules() functions in all versions up to, and including, 2.1.7. This makes it possible for unauthenticated attackers to import and export product rules along with obtaining phpinfo() data | ||||
| CVE-2022-43472 | 2024-12-23 | 4.3 Medium | ||
| Missing Authorization vulnerability in StylemixThemes eRoom – Zoom Meetings & Webinar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eRoom – Zoom Meetings & Webinar: from n/a through 1.4.6. | ||||
| CVE-2024-1093 | 1 Simon99 | 1 Change Memory Limit | 2024-12-23 | 5.3 Medium |
| The Change Memory Limit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_logic() function hooked via admin_init in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update the memory limit. | ||||
| CVE-2021-4356 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2024-12-23 | 9 Critical |
| The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Download in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to download arbitrary files on the site, potentially leading to site takeover. | ||||
| CVE-2021-4361 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-12-23 | 8.8 High |
| The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_job_integrations_settin_save AJAX action in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to update arbitrary options on the site. | ||||
| CVE-2019-25142 | 1 Extendthemes | 2 Materialis, Mesmerize | 2024-12-23 | 8.8 High |
| The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). This is due to 'companion_disable_popup' function only checking the nonce while sending user input to the 'update_option' function. This makes it possible for authenticated attackers to change otherwise restricted options. | ||||
| CVE-2021-4368 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2024-12-23 | 9.9 Critical |
| The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This is due to lacking capability checks and a security nonce, all on the wpfm_save_settings AJAX action. This makes it possible for subscriber-level attackers to edit the plugin settings, such as the allowed upload file types. This can lead to remote code execution through other vulnerabilities. | ||||