Total
859 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6983 | 1 Josevega | 1 Display Custom Fields In The Frontend - Post And User Profile Fields | 2024-11-21 | 4.3 Medium |
| The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.1 via the vg_display_data shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve potentially sensitive post meta. | ||||
| CVE-2023-6824 | 1 Marvinlabs | 1 Wp Customer Area | 2024-11-21 | 6.5 Medium |
| The WP Customer Area WordPress plugin before 8.2.1 does not properly validates user capabilities in some of its AJAX actions, allowing any users to retrieve other user's account address. | ||||
| CVE-2023-6630 | 1 Rocklobster | 1 Contact Form 7 | 2024-11-21 | 4.3 Medium |
| The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor access or higher to access arbitrary metadata of any post type, referencing the post by id and the meta by key. | ||||
| CVE-2023-6523 | 2024-11-21 | 8.8 High | ||
| Authorization Bypass Through User-Controlled Key vulnerability in ExtremePacs Extreme XDS allows Authentication Abuse.This issue affects Extreme XDS: before 3914. | ||||
| CVE-2023-6515 | 1 Miateknoloji | 1 Mia-med | 2024-11-21 | 8.8 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. MİA-MED allows Authentication Abuse.This issue affects MİA-MED: before 1.0.7. | ||||
| CVE-2023-6384 | 1 Wp-eventmanager | 1 User Profile Avatar | 2024-11-21 | 4.3 Medium |
| The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar | ||||
| CVE-2023-6341 | 1 Catalisgov | 1 Cms360 | 2024-11-21 | 5.3 Medium |
| Catalis (previously Icon Software) CMS360 allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs. The impact varies based on the intention and configuration of a specific CMS360 installation. | ||||
| CVE-2023-6226 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2024-11-21 | 4.3 Medium |
| The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.13.3 via the su_meta shortcode due to missing validation on the user controlled keys 'key' and 'post_id'. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve arbitrary post meta values which may contain sensitive information when combined with another plugin. | ||||
| CVE-2023-6223 | 1 Thimpress | 1 Learnpress | 2024-11-21 | 4.3 Medium |
| The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.5.7 via the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve the details of another user's course progress. | ||||
| CVE-2023-6144 | 1 Armanidrisi | 1 Dev Blog | 2024-11-21 | 9.1 Critical |
| Dev blog v1.0 allows to exploit an account takeover through the "user" cookie. With this, an attacker can access any user's session just by knowing their username. | ||||
| CVE-2023-5544 | 3 Fedoraproject, Moodle, Redhat | 3 Fedora, Moodle, Enterprise Linux | 2024-11-21 | 6.5 Medium |
| Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk. | ||||
| CVE-2023-51503 | 1 Automattic | 1 Woopayments | 2024-11-21 | 5.9 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 6.9.2. | ||||
| CVE-2023-51502 | 1 Automattic | 1 Woocommerce Stripe | 2024-11-21 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.1. | ||||
| CVE-2023-50342 | 1 Hcltech | 1 Dryice Myxalytics | 2024-11-21 | 7.1 High |
| HCL DRYiCE MyXalytics is impacted by an Insecure Direct Object Reference (IDOR) vulnerability. A user can obtain certain details about another user as a result of improper access control. | ||||
| CVE-2023-50267 | 1 Metersphere | 1 Metersphere | 2024-11-21 | 4.3 Medium |
| MeterSphere is a one-stop open source continuous testing platform. Prior to 2.10.10-lts, the authenticated attackers can update resources which don't belong to him if the resource ID is known. This issue if fixed in 2.10.10-lts. There are no known workarounds. | ||||
| CVE-2023-4934 | 1 Usta | 1 Aybs | 2024-11-21 | 8.8 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Usta AYBS allows Authentication Abuse, Authentication Bypass.This issue affects AYBS: before 1.0.3. | ||||
| CVE-2023-4587 | 1 Zkteco | 2 Zem800, Zem800 Firmware | 2024-11-21 | 8.3 High |
| An IDOR vulnerability has been found in ZKTeco ZEM800 product affecting version 6.60. This vulnerability allows a local attacker to obtain registered user backup files or device configuration files over a local network or through a VPN server. | ||||
| CVE-2023-4101 | 1 Qsige | 1 Qsige | 2024-11-21 | 8.8 High |
| The QSige login SSO does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. | ||||
| CVE-2023-4099 | 1 Qsige | 1 Qsige | 2024-11-21 | 7.6 High |
| The QSige Monitor application does not have an access control mechanism to verify whether the user requesting a resource has sufficient permissions to do so. As a prerequisite, it is necessary to log into the application. | ||||
| CVE-2023-49812 | 1 Wppa | 1 Wp Photo Album Plus | 2024-11-21 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005. | ||||