Total
4572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-4369 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2023-11-07 | N/A | 5.3 MEDIUM |
| The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Content Injection in versions up to, and including, 18.2. This is due to lacking authorization protections, checks against users editing other's posts, and lacking a security nonce, all on the wpfm_edit_file_title_desc AJAX action. This makes it possible for unauthenticated attackers to edit the content and title of every page on the site. | |||||
| CVE-2021-4347 | 1 Zorem | 1 Advanced Shipment Tracking For Woocommerce | 2023-11-07 | N/A | 6.5 MEDIUM |
| The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. The function allows attackers (including those at customer level) to update any WordPress option in the database. Version 3.2.5 was initially released as a fix, but doesn't fully address the issue. | |||||
| CVE-2021-4346 | 1 Stylemixthemes | 1 Ulisting | 2023-11-07 | N/A | 7.5 HIGH |
| The uListing plugin for WordPress is vulnerable to Unauthenticated Arbitrary Account Changes in versions up to, and including, 1.6.6. This is due to missing login checks on the stm_listing_profile_edit AJAX action. This makes it possible for unauthenticated attackers to edit any account on the blog, such as changing the admin account's email address. | |||||
| CVE-2021-4371 | 1 Pluginmirror | 1 Wp Quick Frontend Editor | 2023-11-07 | N/A | 4.3 MEDIUM |
| The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Setting Changs in versions up to, and including, 5.5. This is due to lacking both a security nonce and a capabilities check. This makes it possible for low-authenticated attackers to change plugin settings even when they do not have the capabilities to do so. | |||||
| CVE-2021-4345 | 1 Stylemixthemes | 1 Ulisting | 2023-11-07 | N/A | 5.3 MEDIUM |
| The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability and nonce checks on the UlistingUserRole::save_role_api method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to remove or add roles, and add capabilities. | |||||
| CVE-2021-4366 | 1 Magazine3 | 1 Pwa For Wp \& Amp | 2023-11-07 | N/A | 4.3 MEDIUM |
| The PWA for WP & AMP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the pwaforwp_update_features_options function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to change the otherwise restricted settings within the plugin. | |||||
| CVE-2021-4364 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2023-11-07 | N/A | 4.3 MEDIUM |
| The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_add_job_import_schedule_call() function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to add and/or modify schedule calls. | |||||
| CVE-2021-4376 | 1 Palscode | 1 Woocommerce Multi Currency | 2023-11-07 | N/A | 4.3 MEDIUM |
| The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value. | |||||
| CVE-2021-4341 | 1 Stylemixthemes | 1 Ulisting | 2023-11-07 | N/A | 9.8 CRITICAL |
| The uListing plugin for WordPress is vulnerable to authorization bypass via Ajax due to missing capability checks, missing input validation, and a missing security nonce in the stm_update_email_data AJAX action in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database. | |||||
| CVE-2021-4351 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2023-11-07 | N/A | 5.3 MEDIUM |
| The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Post Meta Change in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to change the meta data of certain posts and pages. | |||||
| CVE-2021-4381 | 1 Stylemixthemes | 1 Ulisting | 2023-11-07 | N/A | 9.8 CRITICAL |
| The uListing plugin for WordPress is vulnerable to authorization bypass via wp_route due to missing capability checks, and a missing security nonce, in the StmListingSingleLayout::import_new_layout method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database. | |||||
| CVE-2021-4388 | 1 Wpopal | 1 Opal Estate | 2023-11-07 | N/A | 5.3 MEDIUM |
| The Opal Estate plugin for WordPress is vulnerable to featured property modifications in versions up to, and including, 1.6.11. This is due to missing capability checks on the opalestate_set_feature_property() and opalestate_remove_feature_property() functions. This makes it possible for unauthenticated attackers to set and remove featured properties. | |||||
| CVE-2021-4362 | 1 Wpkube | 1 Kiwi Social Share | 2023-11-07 | N/A | 9.8 CRITICAL |
| The Kiwi Social Share plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the kiwi_social_share_get_option() function called via the kiwi_social_share_get_option AJAX action in version 2.1.0. This makes it possible for unauthenticated attackers to read and modify arbitrary options on a WordPress site that can be used for complete site takeover. This was a previously fixed vulnerability that was reintroduced in this version. | |||||
| CVE-2021-4368 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2023-11-07 | N/A | 8.8 HIGH |
| The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This is due to lacking capability checks and a security nonce, all on the wpfm_save_settings AJAX action. This makes it possible for subscriber-level attackers to edit the plugin settings, such as the allowed upload file types. This can lead to remote code execution through other vulnerabilities. | |||||
| CVE-2021-4356 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2023-11-07 | N/A | 9.8 CRITICAL |
| The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Download in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to download arbitrary files on the site, potentially leading to site takeover. | |||||
| CVE-2021-44595 | 1 Wondershare | 1 Dr.fone | 2023-11-07 | 9.0 HIGH | 8.8 HIGH |
| Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and execute arbitrary code without any validation with SYSTEM privileges. | |||||
| CVE-2021-41066 | 1 Bopsoft | 1 Listary | 2023-11-07 | 7.6 HIGH | 7.5 HIGH |
| An issue was discovered in Listary through 6. When Listary is configured as admin, Listary will not ask for permissions again if a user tries to access files on the system from Listary itself (it will bypass UAC protection; there is no privilege validation of the current user that runs via Listary). | |||||
| CVE-2021-32917 | 3 Debian, Fedoraproject, Prosody | 3 Debian Linux, Fedora, Prosody | 2023-11-07 | 4.3 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth. | |||||
| CVE-2021-30874 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2023-11-07 | 5.0 MEDIUM | 7.5 HIGH |
| An authorization issue was addressed with improved state management. This issue is fixed in iOS 15 and iPadOS 15. A VPN configuration may be installed by an app without user permission. | |||||
| CVE-2021-30155 | 3 Debian, Fedoraproject, Mediawiki | 3 Debian Linux, Fedora, Mediawiki | 2023-11-07 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. ContentModelChange does not check if a user has correct permissions to create and set the content model of a nonexistent page. | |||||