Total
5365 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1091 | 1 Imagerecycle | 1 Imagerecycle Pdf \& Image Compression | 2024-12-27 | 4.3 Medium |
| The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reinitialize function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to remove all plugin data. | ||||
| CVE-2024-1089 | 1 Imagerecycle | 1 Imagerecycle Pdf \& Image Compression | 2024-12-27 | 4.3 Medium |
| The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the optimizeAllOn function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify image optimization settings. | ||||
| CVE-2024-12413 | 2024-12-27 | 5.3 Medium | ||
| The MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions like 'marketking_delete_team_member', 'marketkingrejectuser', 'marketking_save_profile_settings', and many more in all versions up to, and including, 2.0.00. This makes it possible for unauthenticated attackers to delete users, update settings, approve users, and more. | ||||
| CVE-2024-12190 | 2024-12-27 | 4.3 Medium | ||
| The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the bitform-form-entry-edit endpoint in all versions up to, and including, 2.17.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all form submissions from other users. | ||||
| CVE-2024-11281 | 2024-12-26 | 9.8 Critical | ||
| The WooCommerce Point of Sale plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0. This is due to insufficient validation on the 'logged_in_user_id' value when option values are empty and the ability for attackers to change the email of arbitrary user accounts. This makes it possible for unauthenticated attackers to change the email of arbitrary user accounts, including administrators, and reset their password to gain access to the account. | ||||
| CVE-2023-36504 | 1 Bbsetheme | 1 Bbs E-popup | 2024-12-26 | 6.5 Medium |
| Missing Authorization vulnerability in BBS e-Theme BBS e-Popup.This issue affects BBS e-Popup: from n/a through 2.4.5. | ||||
| CVE-2024-12266 | 2024-12-24 | 6.5 Medium | ||
| The ELEX WooCommerce Dynamic Pricing and Discounts plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the elex_dp_export_rules() and elex_dp_import_rules() functions in all versions up to, and including, 2.1.7. This makes it possible for unauthenticated attackers to import and export product rules along with obtaining phpinfo() data | ||||
| CVE-2022-43472 | 2024-12-23 | 4.3 Medium | ||
| Missing Authorization vulnerability in StylemixThemes eRoom – Zoom Meetings & Webinar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eRoom – Zoom Meetings & Webinar: from n/a through 1.4.6. | ||||
| CVE-2024-1093 | 1 Simon99 | 1 Change Memory Limit | 2024-12-23 | 5.3 Medium |
| The Change Memory Limit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_logic() function hooked via admin_init in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update the memory limit. | ||||
| CVE-2021-4356 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2024-12-23 | 9 Critical |
| The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Download in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to download arbitrary files on the site, potentially leading to site takeover. | ||||
| CVE-2021-4361 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-12-23 | 8.8 High |
| The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_job_integrations_settin_save AJAX action in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to update arbitrary options on the site. | ||||
| CVE-2019-25142 | 1 Extendthemes | 2 Materialis, Mesmerize | 2024-12-23 | 8.8 High |
| The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). This is due to 'companion_disable_popup' function only checking the nonce while sending user input to the 'update_option' function. This makes it possible for authenticated attackers to change otherwise restricted options. | ||||
| CVE-2021-4368 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2024-12-23 | 9.9 Critical |
| The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This is due to lacking capability checks and a security nonce, all on the wpfm_save_settings AJAX action. This makes it possible for subscriber-level attackers to edit the plugin settings, such as the allowed upload file types. This can lead to remote code execution through other vulnerabilities. | ||||
| CVE-2020-36725 | 1 Templateinvaders | 1 Ti Woocommerce Wishlist | 2024-12-23 | 8.8 High |
| The TI WooCommerce Wishlist and TI WooCommerce Wishlist Pro plugins for WordPress are vulnerable to an Options Change vulnerability in versions up to, and including, 1.21.11 and 1.21.4 via the 'ti-woocommerce-wishlist/includes/export.class.php' file. This makes it possible for authenticated attackers to gain otherwise restricted access to the vulnerable blog and update any settings. | ||||
| CVE-2022-4950 | 2 Coolplugins, Cryptocurrency Payment \& Donation Box Plugins | 10 Cool Timeline, Cryptocurrency Widgets, Cryptocurrency Widgets For Elementor and 7 more | 2024-12-23 | 8.8 High |
| Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber. | ||||
| CVE-2021-4337 | 1 Xforwoocommerce | 16 Add Product Tabs, Autopilot Seo, Bulk Add To Cart and 13 more | 2024-12-23 | 8.8 High |
| Sixteen XforWooCommerce Add-On Plugins for WordPress are vulnerable to authorization bypass due to a missing capability check on the wp_ajax_svx_ajax_factory function in various versions listed below. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to read, edit, or delete WordPress settings, plugin settings, and to arbitrarily list all users on a WordPress website. The plugins impacted are: Product Filter for WooCommerce < 8.2.0, Improved Product Options for WooCommerce < 5.3.0, Improved Sale Badges for WooCommerce < 4.4.0, Share, Print and PDF Products for WooCommerce < 2.8.0, Product Loops for WooCommerce < 1.7.0, XforWooCommerce < 1.7.0, Package Quantity Discount < 1.2.0, Price Commander for WooCommerce < 1.3.0, Comment and Review Spam Control for WooCommerce < 1.5.0, Add Product Tabs for WooCommerce < 1.5.0, Autopilot SEO for WooCommerce < 1.6.0, Floating Cart < 1.3.0, Live Search for WooCommerce < 2.1.0, Bulk Add to Cart for WooCommerce < 1.3.0, Live Product Editor for WooCommerce < 4.7.0, and Warranties and Returns for WooCommerce < 5.3.0. | ||||
| CVE-2023-3053 | 1 Azexo | 1 Page Builder With Image Map By Azexo | 2024-12-20 | 5.4 Medium |
| The Page Builder by AZEXO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'azh_add_post' function in versions up to, and including, 1.27.133. This makes it possible for authenticated attackers to create a post with any post type and post status. | ||||
| CVE-2021-4338 | 1 Duckdev | 1 404 To 301 | 2024-12-20 | 6.4 Medium |
| The 404 to 301 plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the open_redirect & save_redirect functions in versions up to, and including, 3.0.7. This makes it possible for authenticated attackers to view, create and edit redirections. | ||||
| CVE-2020-36699 | 1 Quick Page\/post Redirect Project | 1 Quick Page\/post Redirect | 2024-12-20 | 4.3 Medium |
| The Quick Page/Post Redirect Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the qppr_save_quick_redirect_ajax and qppr_delete_quick_redirect functions in versions up to, and including, 5.1.9. This makes it possible for low-privileged attackers to interact with the plugin settings and to create a redirect link that would forward all traffic to an external malicious website. | ||||
| CVE-2021-4347 | 1 Zorem | 1 Advanced Shipment Tracking For Woocommerce | 2024-12-20 | 9.9 Critical |
| The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. The function allows attackers (including those at customer level) to update any WordPress option in the database. Version 3.2.5 was initially released as a fix, but doesn't fully address the issue. | ||||