Total
4572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-7289 | 1 Paytium | 1 Paytium | 2024-10-17 | N/A | 4.3 MEDIUM |
| The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized API key update due to a missing capability check on the paytium_sw_save_api_keys function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-level access to change plugin API keys. | |||||
| CVE-2023-7287 | 1 Paytium | 1 Paytium | 2024-10-17 | N/A | 5.4 MEDIUM |
| The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized subscription cancellation due to a missing capability check on the pt_cancel_subscription function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-level access to cancel a subscription to the plugin. | |||||
| CVE-2023-7288 | 1 Paytium | 1 Paytium | 2024-10-17 | N/A | 4.3 MEDIUM |
| The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the update_profile_preference function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-level access to change plugin settings. | |||||
| CVE-2023-42688 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-10-17 | N/A | 7.8 HIGH |
| In wifi service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed | |||||
| CVE-2024-45732 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-10-17 | N/A | 6.5 MEDIUM |
| In Splunk Enterprise versions below 9.3.1, and 9.2.0 versions below 9.2.3, and Splunk Cloud Platform versions below 9.2.2403.103, 9.1.2312.200, 9.1.2312.110 and 9.1.2308.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could run a search as the "nobody" Splunk user in the SplunkDeploymentServerConfig app. This could let the low-privileged user access potentially restricted data. | |||||
| CVE-2024-24739 | 1 Sap | 1 Bank Account Management | 2024-10-16 | N/A | 6.3 MEDIUM |
| SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application. | |||||
| CVE-2024-24741 | 1 Sap | 1 Master Data Governance For Material Data | 2024-10-16 | N/A | 4.3 MEDIUM |
| SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability. | |||||
| CVE-2024-25643 | 1 Sap | 1 Fiori | 2024-10-16 | N/A | 4.3 MEDIUM |
| The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to. There is no impact on integrity and availability. | |||||
| CVE-2023-42694 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-10-16 | N/A | 7.8 HIGH |
| In wifi service, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed | |||||
| CVE-2024-48902 | 1 Jetbrains | 1 Youtrack | 2024-10-16 | N/A | 5.4 MEDIUM |
| In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API | |||||
| CVE-2019-25217 | 2024-10-16 | N/A | 9.8 CRITICAL | ||
| The SiteGround Optimizer plugin for WordPress is vulnerable to authorization bypass leading to Remote Code Execution and Local File Inclusion in versions up to, and including, 5.0.12 due to incorrect use of an access control attribute on the switch_php function called via the /switch-php REST API route. This allows attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2020-36837 | 2024-10-16 | N/A | 9.9 CRITICAL | ||
| The ThemeGrill Demo Importer plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the reset_wizard_actions function in versions 1.3.4 through 1.6.1. This makes it possible for authenticated attackers to reset the WordPress database. After which, if there is a user named 'admin', the attacker will become automatically logged in as an administrator. | |||||
| CVE-2022-4974 | 2024-10-16 | N/A | 6.3 MEDIUM | ||
| The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. | |||||
| CVE-2019-25215 | 2024-10-16 | N/A | 7.3 HIGH | ||
| The ARI-Adminer plugin for WordPress is vulnerable to authorization bypass due to a lack of file access controls in nearly every file of the plugin in versions up to, and including, 1.1.14. This makes it possible for unauthenticated attackers to call the files directly and perform a wide variety of unauthorized actions such as accessing a site's database and making changes. | |||||
| CVE-2024-9891 | 2024-10-16 | N/A | 4.3 MEDIUM | ||
| The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugin_form_submission() function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin and send a custom reason from the site. | |||||
| CVE-2020-36834 | 2024-10-16 | N/A | 6.3 MEDIUM | ||
| The Discount Rules for WooCommerce plugin for WordPress is vulnerable to missing authorization via several AJAX actions in versions up to, and including, 2.0.2 due to missing capability checks on various functions. This makes it possible for subscriber-level attackers to execute various actions and perform a wide variety of actions such as modifying rules and saving configurations. | |||||
| CVE-2019-25214 | 2024-10-16 | N/A | 7.2 HIGH | ||
| The ShopWP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST API routes in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to call the endpoints and perform unauthorized actions such as updating the plugin's settings and injecting malicious scripts. | |||||
| CVE-2021-4444 | 2024-10-16 | N/A | N/A | ||
| The Product Filter by WooBeWoo plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 1.4.9 due to missing authorization checks on various functions. This makes it possible for unauthenticated attackers to perform unauthorized actions such as creating new filters and injecting malicious javascript into a vulnerable site. This was actively exploited at the time of discovery. | |||||
| CVE-2020-36833 | 2024-10-16 | N/A | 6.3 MEDIUM | ||
| The Indeed Membership Pro plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on various AJAX actions in versions 7.3 - 8.6. This makes it possible for authenticated attacker, with minimal permission, such as a subscriber, to perform a variety of actions such as modifying settings and viewing sensitive data. | |||||
| CVE-2024-9520 | 1 Wpuserplus | 1 Userplus | 2024-10-15 | N/A | 5.4 MEDIUM |
| The UserPlus plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.0. This makes it possible for authenticated attackers with subscriber-level permissions or above, to add, modify, or delete user meta and plugin options. | |||||