Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0837 | 1 Tms-outsource | 1 Amelia | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
The Amelia WordPress plugin before 1.0.48 does not have proper authorisation when handling Amelia SMS service, allowing any customer to send paid test SMS notification as well as retrieve sensitive information about the admin, such as the email, account balance and payment history. A malicious actor can abuse this vulnerability to drain out the account balance by keep sending SMS notification.
|
|||||
| CVE-2022-0833 | 1 Church Admin Project | 1 Church Admin | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Church Admin WordPress plugin before 3.4.135 does not have authorisation and CSRF in some of its action as well as requested files, allowing unauthenticated attackers to repeatedly request the "refresh-backup" action, and simultaneously keep requesting a publicly accessible temporary file generated by the plugin in order to disclose the final backup filename, which can then be fetched by the attacker to download the backup of the plugin's DB data
|
|||||
| CVE-2022-0756 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.
|
|||||
| CVE-2022-0755 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
Missing Authorization in GitHub repository salesagility/suitecrm prior to 7.12.5.
|
|||||
| CVE-2022-0745 | 1 Likebtn | 1 Like Button Rating | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The Like Button Rating WordPress plugin before 2.6.45 allows any logged-in user, such as subscriber, to send arbitrary e-mails to any recipient, with any subject and body
|
|||||
| CVE-2022-0726 | 1 Framasoft | 1 Peertube | 2024-11-21 | 5.5 MEDIUM | 5.4 MEDIUM |
|
Missing Authorization in GitHub repository chocobozzz/peertube prior to 4.1.0.
|
|||||
| CVE-2022-0634 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The ThirstyAffiliates WordPress plugin before 3.10.5 lacks authorization checks in the ta_insert_external_image action, allowing a low-privilege user (with a role as low as Subscriber) to add an image from an external URL to an affiliate link. Further the plugin lacks csrf checks, allowing an attacker to trick a logged in user to perform the action by crafting a special request.
|
|||||
| CVE-2022-0492 | 6 Canonical, Debian, Fedoraproject and 3 more | 30 Ubuntu Linux, Debian Linux, Fedora and 27 more | 2024-11-21 | 6.9 MEDIUM | 7.8 HIGH |
|
A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
|
|||||
| CVE-2022-0444 | 1 Watchful | 1 Xcloner | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin WordPress plugin before 4.3.6 does not have authorisation and CSRF checks when resetting its settings, allowing unauthenticated attackers to reset them, including generating a new backup encryption key.
|
|||||
| CVE-2022-0404 | 1 Material Design For Contact Form 7 Project | 1 Material Design For Contact Form 7 | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The Material Design for Contact Form 7 WordPress plugin through 2.6.4 does not check authorization or that the option mentioned in the notice param belongs to the plugin when processing requests to the cf7md_dismiss_notice action, allowing any logged in user (with roles as low as Subscriber) to set arbitrary options to true, potentially leading to Denial of Service by breaking the site.
|
|||||
| CVE-2022-0398 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2024-11-21 | 4.9 MEDIUM | 5.4 MEDIUM |
|
The ThirstyAffiliates Affiliate Link Manager WordPress plugin before 3.10.5 does not have authorisation and CSRF checks when creating affiliate links, which could allow any authenticated user, such as subscriber to create arbitrary affiliate links, which could then be used to redirect users to an arbitrary website
|
|||||
| CVE-2022-0390 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 2.1 LOW | 4.3 MEDIUM |
|
Improper access control in Gitlab CE/EE versions 12.7 to 14.5.4, 14.6 to 14.6.4, and 14.7 to 14.7.1 allowed for project non-members to retrieve issue details when it was linked to an item from the vulnerability dashboard.
|
|||||
| CVE-2022-0345 | 1 Madewithfuel | 1 Customize Wordpress Emails And Alerts | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The Customize WordPress Emails and Alerts WordPress plugin before 1.8.7 does not have authorisation and CSRF check in its bnfw_search_users AJAX action, allowing any authenticated users to call it and query for user e-mail prefixes (finding the first letter, then the second one, then the third one etc.).
|
|||||
| CVE-2022-0236 | 1 Vjinfotech | 2 Wp Import Export, Wp Import Export Lite | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data. This affects versions up to, and including, ...
Show More |
|||||
| CVE-2022-0229 | 1 Miniorange | 1 Google Authenticator | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable.
|
|||||
| CVE-2022-0218 | 1 Codemiq | 1 Wordpress Email Template Designer | 2024-11-21 | 4.3 MEDIUM | 8.3 HIGH |
|
The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site.
|
|||||
| CVE-2022-0203 | 1 Craterapp | 1 Crater | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2.
|
|||||
| CVE-2022-0179 | 1 Snipeitapp | 1 Snipe-it | 2024-11-21 | 4.9 MEDIUM | 5.4 MEDIUM |
|
snipe-it is vulnerable to Missing Authorization
|
|||||
| CVE-2022-0164 | 1 Wpdevart | 1 Coming Soon And Maintenance Mode | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users
|
|||||
| CVE-2022-0163 | 1 Rednao | 1 Smart Forms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form.
|
|||||
| CVE-2022-0152 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to unauthorized access to some particular fields through the GraphQL API.
|
|||||
| CVE-2022-0125 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to import members from a target project.
|
|||||
| CVE-2021-4388 | 1 Wpopal | 1 Opal Estate | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Opal Estate plugin for WordPress is vulnerable to featured property modifications in versions up to, and including, 1.6.11. This is due to missing capability checks on the opalestate_set_feature_property() and opalestate_remove_feature_property() functions. This makes it possible for unauthenticated attackers to set and remove featured properties.
|
|||||
| CVE-2021-4383 | 1 Webdevocean | 1 Wp Quick Frontend Editor | 2024-11-21 | N/A | 8.1 HIGH |
|
The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to page content injection in versions up to, and including, 5.5. This is due to missing capability checks in the plugin's page-editing functionality. This makes it possible for low-authenticated attackers, such as subscribers, to edit/create any page or post on the blog.
|
|||||
| CVE-2021-4381 | 1 Stylemixthemes | 1 Ulisting | 2024-11-21 | N/A | 9.8 CRITICAL |
|
The uListing plugin for WordPress is vulnerable to authorization bypass via wp_route due to missing capability checks, and a missing security nonce, in the StmListingSingleLayout::import_new_layout method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database.
|
|||||
| CVE-2021-4376 | 1 Palscode | 1 Woocommerce Multi Currency | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value.
|
|||||
| CVE-2021-4374 | 1 Valvepress | 1 Wordpress Automatic Plugin | 2024-11-21 | N/A | 9.1 CRITICAL |
|
The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing authorization and option validation in the process_form.php file. This makes it possible for unauthenticated attackers to arbitrarily update the settings of a vulnerable site and ultimately compromise the entire site.
|
|||||
| CVE-2021-4371 | 1 Pluginmirror | 1 Wp Quick Frontend Editor | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Setting Changs in versions up to, and including, 5.5. This is due to lacking both a security nonce and a capabilities check. This makes it possible for low-authenticated attackers to change plugin settings even when they do not have the capabilities to do so.
|
|||||
| CVE-2021-4370 | 1 Stylemixthemes | 1 Ulisting | 2024-11-21 | N/A | 9.8 CRITICAL |
|
The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to conduct numerous administrative actions, including those less critical than the explicitly outlined ones in our detection.
|
|||||
| CVE-2021-4369 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2024-11-21 | N/A | 5.8 MEDIUM |
|
The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Content Injection in versions up to, and including, 18.2. This is due to lacking authorization protections, checks against users editing other's posts, and lacking a security nonce, all on the wpfm_edit_file_title_desc AJAX action. This makes it possible for unauthenticated attackers to edit the content and title of every page on the site.
|
|||||
| CVE-2021-4368 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2024-11-21 | N/A | 9.9 CRITICAL |
|
The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This is due to lacking capability checks and a security nonce, all on the wpfm_save_settings AJAX action. This makes it possible for subscriber-level attackers to edit the plugin settings, such as the allowed upload file types. This can lead to remote code execution through other vulnerabilities.
|
|||||
| CVE-2021-4366 | 1 Magazine3 | 1 Pwa For Wp \& Amp | 2024-11-21 | N/A | 6.3 MEDIUM |
|
The PWA for WP & AMP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the pwaforwp_update_features_options function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to change the otherwise restricted settings within the plugin.
|
|||||
| CVE-2021-4364 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_add_job_import_schedule_call() function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to add and/or modify schedule calls.
|
|||||
| CVE-2021-4362 | 1 Wpkube | 1 Kiwi Social Share | 2024-11-21 | N/A | 9.8 CRITICAL |
|
The Kiwi Social Share plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the kiwi_social_share_get_option() function called via the kiwi_social_share_get_option AJAX action in version 2.1.0. This makes it possible for unauthenticated attackers to read and modify arbitrary options on a WordPress site that can be used for complete site takeover. This was a previously fixed vulnerability that was reintroduced in this version.
|
|||||
| CVE-2021-4361 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-11-21 | N/A | 8.8 HIGH |
|
The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_job_integrations_settin_save AJAX action in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to update arbitrary options on the site.
|
|||||
| CVE-2021-4359 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 18.2. This is due to lacking authentication protections and lacking a security nonce on the wpfm_delete_file AJAX action. This makes it possible for unauthenticated attackers to delete any posts and pages on the site.
|
|||||
| CVE-2021-4357 | 1 Stylemixthemes | 1 Ulisting | 2024-11-21 | N/A | 9.1 CRITICAL |
|
The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability checks, and a missing security nonce, on the UlistingUserRole::save_role_api function in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to arbitrarily delete site posts and pages.
|
|||||
| CVE-2021-4356 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2024-11-21 | N/A | 9.0 CRITICAL |
|
The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Download
in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to download arbitrary files on the site, potentially leading to site takeover.
|
|||||
| CVE-2021-4353 | 1 Rightpress | 1 Woocommerce Dynamic Pricing \& Discounts | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The WooCommerce Dynamic Pricing and Discounts plugin for WordPress is vulnerable to unauthenticated settings export in versions up to, and including, 2.4.1. This is due to missing authorization on the export() function which makes makes it possible for unauthenticated attackers to export the plugin's settings.
|
|||||
| CVE-2021-4351 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2024-11-21 | N/A | 5.8 MEDIUM |
|
The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Post Meta Change in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to change the meta data of certain posts and pages.
|
|||||