Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6696 | 1 Sygnoos | 1 Popup Builder | 2024-11-21 | N/A | 8.1 HIGH |
|
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 4.3.1. While some functions contain a nonce check, the nonce can be obtained from the profile page of a logged-in user. This allows subscribers to perform several actions including deleting subscribers and perform blind Server-Side Request Forgery.
|
|||||
| CVE-2023-6598 | 1 Softaculous | 1 Speedycache | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The SpeedyCache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the speedycache_save_varniship, speedycache_img_update_settings, speedycache_preloading_add_settings, and speedycache_preloading_delete_resource functions in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update plugin options.
|
|||||
| CVE-2023-6496 | 1 Freeamigos | 1 Manage Notification E-mails | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Manage Notification E-mails plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.8.5 via the card_famne_export_settings function. This makes it possible for unauthenticated attackers to obtain plugin settings.
|
|||||
| CVE-2023-6491 | 1 Wpchill | 1 Strong Testimonials | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. This makes it possible for authenticated attackers, with contributor access and above, to modify favorite views.
|
|||||
| CVE-2023-6038 | 1 H2o | 1 H2o | 2024-11-21 | N/A | 7.5 HIGH |
|
A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3.
|
|||||
| CVE-2023-6020 | 1 Ray Project | 1 Ray | 2024-11-21 | N/A | 7.5 HIGH |
|
LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication.
|
|||||
| CVE-2023-6007 | 1 Userproplugin | 1 Userpro | 2024-11-21 | N/A | 7.3 HIGH |
|
The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.
|
|||||
| CVE-2023-6001 | 1 Yugabyte | 1 Yugabytedb | 2024-11-21 | N/A | 5.3 MEDIUM |
|
Prometheus metrics are available without
authentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment.
|
|||||
| CVE-2023-5949 | 1 Wpmudev | 1 Smartcrawl | 2024-11-21 | N/A | 7.5 HIGH |
|
The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthorised users from accessing password-protected posts' content.
|
|||||
| CVE-2023-5862 | 1 Hamza417 | 1 Inure | 2024-11-21 | N/A | 3.3 LOW |
|
Missing Authorization in GitHub repository hamza417/inure prior to Build95.
|
|||||
| CVE-2023-5737 | 1 Webtoffee | 1 Backup And Migration | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings.
|
|||||
| CVE-2023-5714 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_db_specs() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve data key specs.
|
|||||
| CVE-2023-5713 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_option_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve potentially sensitive option values, and deserialize the content of those values.
|
|||||
| CVE-2023-5712 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_global_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive global value information.
|
|||||
| CVE-2023-5711 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_php_info() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information provided by PHP info.
|
|||||
| CVE-2023-5710 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_constants() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information such as database credentials.
|
|||||
| CVE-2023-5612 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 5.3 MEDIUM |
|
An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled.
|
|||||
| CVE-2023-5525 | 1 Limitloginattempts | 1 Limit Login Attempts Reloaded | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is missing authorization on the `toggle_auto_update` AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.
|
|||||
| CVE-2023-5506 | 1 Imagemapper Project | 1 Imagemapper | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The ImageMapper plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'imgmap_delete_area_ajax' function in versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts and pages.
|
|||||
| CVE-2023-5419 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_test_mail function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to send test emails to an arbitrary email address.
|
|||||
| CVE-2023-5417 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_update_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the Funnelforms category for a given post ID.
|
|||||
| CVE-2023-5416 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete categories.
|
|||||
| CVE-2023-5415 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_add_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to add new categories.
|
|||||
| CVE-2023-5411 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_save_post function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify certain post values. Note that the extent of modification is limited due to fixed values passed to the wp_update_post function.
|
|||||
| CVE-2023-5387 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_trigger_dark_mode function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to enable or disable the dark mode plugin setting.
|
|||||
| CVE-2023-5386 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts, including administrator posts, and posts not related to the Funnelforms Free plugin.
|
|||||
| CVE-2023-5385 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_copy_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to create copies of arbitrary posts.
|
|||||
| CVE-2023-5331 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | N/A | 4.3 MEDIUM |
|
Mattermost fails to properly check the creator of an attached file when adding the file to a draft post, potentially exposing unauthorized file information.
|
|||||
| CVE-2023-5321 | 1 Hamza417 | 1 Inure | 2024-11-21 | N/A | 5.5 MEDIUM |
|
Missing Authorization in GitHub repository hamza417/inure prior to build94.
|
|||||
| CVE-2023-5311 | 1 Wpvnteam | 1 Wp Extra | 2024-11-21 | N/A | 8.8 HIGH |
|
The WP EXtra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register() function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the contents of the .htaccess files located in a site's root directory or /wp-content and /wp-includes folders and achieve remote code execution.
|
|||||
| CVE-2023-5251 | 1 G5theme | 1 Grid Plus | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The Grid Plus plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'grid_plus_save_layout_callback' and 'grid_plus_delete_callback' functions in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with subscriber privileges or above, to add, update or delete grid layout.
|
|||||
| CVE-2023-5165 | 1 Docker | 1 Docker Desktop | 2024-11-21 | N/A | 7.1 HIGH |
|
Docker Desktop before 4.23.0 allows an unprivileged user to bypass Enhanced Container Isolation (ECI) restrictions via the debug shell which remains accessible for a short time window after launching Docker Desktop. The affected functionality is available for Docker Business customers only and assumes an environment where users are not granted local root or Administrator privileges.
This issue has been fixed in Docker Desktop 4.23.0.
Affected Docker Desktop versions: from 4.13.0 before 4.23. ...
Show More |
|||||
| CVE-2023-5132 | 1 Soisy | 1 Soisy Pagamento Rateale | 2024-11-21 | N/A | 7.5 HIGH |
|
The Soisy Pagamento Rateale plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the parseRemoteRequest function in versions up to, and including, 6.0.1. This makes it possible for unauthenticated attackers with knowledge of an existing WooCommerce Order ID to expose sensitive WooCommerce order information (e.g., Name, Address, Email Address, and other order metadata).
|
|||||
| CVE-2023-5061 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 4.3 MEDIUM |
|
An issue has been discovered in GitLab affecting all versions starting from 9.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. In certain situations, it may have been possible for developers to override predefined CI variables via the REST API.
|
|||||
| CVE-2023-5056 | 1 Redhat | 2 Enterprise Linux, Service Interconnect | 2024-11-21 | N/A | 6.8 MEDIUM |
|
A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview.
|
|||||
| CVE-2023-52275 | 1 Tecno-mobile | 2 Camon X, Camon X Firmware | 2024-11-21 | N/A | 2.1 LOW |
|
Gallery3d on Tecno Camon X CA7 devices allows attackers to view hidden images by navigating to data/com.android.gallery3d/.privatealbum/.encryptfiles and guessing the correct image file extension.
|
|||||
| CVE-2023-52232 | 1 Booster | 1 Booster For Woocommerce | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in Pluggabl LLC Booster Plus for WooCommerce.This issue affects Booster Plus for WooCommerce: from n/a before 7.1.2.
|
|||||
| CVE-2023-52230 | 1 Booster | 1 Booster For Woocommerce | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in Pluggabl LLC Booster Plus for WooCommerce.This issue affects Booster Plus for WooCommerce: from n/a before 7.1.3.
|
|||||
| CVE-2023-52229 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Save as PDF plugin by Pdfcrowd Word Replacer Pro.This issue affects Word Replacer Pro: from n/a through 1.0.
|
|||||
| CVE-2023-52227 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in MailerLite MailerLite – WooCommerce integration.This issue affects MailerLite – WooCommerce integration: from n/a through 2.0.8.
|
|||||