Total
4572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4468 | 1 Salonbookingsystem | 1 Salon Booking System | 2024-10-31 | N/A | 5.4 MEDIUM |
| The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber access or higher to modify plugin settings and view discount codes intended for other users. | |||||
| CVE-2024-5087 | 1 Webfactoryltd | 1 Minimal Coming Soon \& Maintenance Mode | 2024-10-31 | N/A | 5.4 MEDIUM |
| The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the validate_ajax, deactivate_ajax, and save_ajax functions in all versions up to, and including, 2.38. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the license key, which could disable features of the plugin. | |||||
| CVE-2024-4661 | 1 Webfactoryltd | 1 Wp Reset | 2024-10-31 | N/A | 4.3 MEDIUM |
| The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_ajax function in all versions up to, and including, 2.02. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the value fo the 'License Key' field for the 'Activate Pro License' setting. | |||||
| CVE-2020-36840 | 1 Motopress | 1 Timetable And Event Schedule | 2024-10-30 | N/A | 9.8 CRITICAL |
| The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wp_ajax_route_url() function called via a nopriv AJAX action in versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to call that function and perform a wide variety of actions such as including random template, injecting malicious web scripts, and more. | |||||
| CVE-2018-25105 | 1 Filemanagerpro | 1 File Manager | 2024-10-30 | N/A | 9.8 CRITICAL |
| The File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the /inc/root.php file in versions up to, and including, 3.0. This makes it possible for unauthenticated attackers to download arbitrary files from the server and upload arbitrary files that can be used for remote code execution. | |||||
| CVE-2021-4448 | 1 Kaswara Project | 1 Kaswara | 2024-10-30 | N/A | 9.8 CRITICAL |
| The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more. | |||||
| CVE-2022-4972 | 1 Wpchill | 1 Download Monitor | 2024-10-30 | N/A | 7.5 HIGH |
| The Download Monitor plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST-API routes related to reporting in versions up to, and including, 4.7.51. This makes it possible for unauthenticated attackers to view user data and other sensitive information intended for administrators. | |||||
| CVE-2022-36228 | 1 Janusintl | 6 Noke Hd\+ Smart Padlock, Noke Hd\+ Smart Padlock Firmware, Noke Hd Smart Padlock and 3 more | 2024-10-30 | N/A | 6.5 MEDIUM |
| Nokelock Smart padlock O1 Version 5.3.0 is vulnerable to Insecure Permissions. By sending a request, you can add any device and set the device password in the Nokelock app. | |||||
| CVE-2024-5607 | 1 Ninjateam | 1 Gdpr Ccpa Compliance \& Cookie Consent Banner | 2024-10-29 | N/A | 5.4 MEDIUM |
| The GDPR CCPA Compliance & Cookie Consent Banner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions named ajaxUpdateSettings() in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings, update page content, send arbitrary emails and inject malicious web scripts. | |||||
| CVE-2023-6876 | 1 Nayrathemes | 1 Clever Fox | 2024-10-29 | N/A | 5.4 MEDIUM |
| The Clever Fox – One Click Website Importer by Nayra Themes plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clever-fox-activate-theme' function in all versions up to, and including, 25.2.0. This makes it possible for authenticated attackers, with subscriber access and above, to modify the active theme, including to an invalid value which can take down the site. | |||||
| CVE-2024-1689 | 1 Themefarmer | 1 Woocommerce Tools | 2024-10-29 | N/A | 5.3 MEDIUM |
| The WooCommerce Tools plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woocommerce_tool_toggle_module() function in all versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to deactivate arbitrary plugin modules. | |||||
| CVE-2023-6491 | 1 Wpchill | 1 Strong Testimonials | 2024-10-29 | N/A | 4.3 MEDIUM |
| The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. This makes it possible for authenticated attackers, with contributor access and above, to modify favorite views. | |||||
| CVE-2024-50573 | 1 Jetbrains | 1 Hub | 2024-10-29 | N/A | 5.4 MEDIUM |
| In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services | |||||
| CVE-2024-49273 | 1 Metagauss | 1 Profilegrid | 2024-10-29 | N/A | 6.5 MEDIUM |
| Missing Authorization vulnerability in ProfileGrid User Profiles ProfileGrid.This issue affects ProfileGrid: from n/a through 5.9.3. | |||||
| CVE-2024-49321 | 1 Colorlib | 1 Simple Custom Post Order | 2024-10-29 | N/A | 4.3 MEDIUM |
| Missing Authorization vulnerability in Colorlib Simple Custom Post Order allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Custom Post Order: from n/a through 2.5.7. | |||||
| CVE-2024-49293 | 1 Rextheme | 1 Wp Vr | 2024-10-29 | N/A | 5.4 MEDIUM |
| Missing Authorization vulnerability in Rextheme WP VR allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP VR: from n/a through 8.5.4. | |||||
| CVE-2024-50475 | 2024-10-29 | N/A | N/A | ||
| Missing Authorization vulnerability in Scott Gamon Signup Page allows Privilege Escalation.This issue affects Signup Page: from n/a through 1.0. | |||||
| CVE-2024-9629 | 2024-10-29 | N/A | N/A | ||
| The Contact Form 7 + Telegram plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wpcf7_Telegram::ajax' function in versions up to, and including, 0.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve, pause and refuse subscriptions. | |||||
| CVE-2024-50476 | 2024-10-29 | N/A | N/A | ||
| Missing Authorization vulnerability in GRÜN Software Group GmbH GRÜN spendino Spendenformular allows Privilege Escalation.This issue affects GRÜN spendino Spendenformular: from n/a through 1.0.1. | |||||
| CVE-2024-10437 | 2024-10-29 | N/A | 4.3 MEDIUM | ||
| The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to unauthorized Smar Message activation/deactivation due to a missing capability check on the ajax_enable function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate smart messages. | |||||