Total
5365 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-36702 | 1 Brainstormforce | 1 Spectra | 2024-12-20 | 5.5 Medium |
| The Ultimate Addons for Gutenberg plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 1.14.7. This is due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber+ roles to update the plugin's settings. | ||||
| CVE-2022-4948 | 1 Flying-press | 1 Flyingpress | 2024-12-20 | 4.3 Medium |
| The FlyingPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 3.9.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to interact with the plugin in ways administrators are intended to. One action (save_config) allows for the configuration of an external CDN. This could be used to include malicious javascript from a source controlled by the attacker. | ||||
| CVE-2021-4364 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-12-20 | 4.3 Medium |
| The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_add_job_import_schedule_call() function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to add and/or modify schedule calls. | ||||
| CVE-2019-25143 | 1 Mooveagency | 1 Gdpr Cookie Compliance | 2024-12-20 | 5.4 Medium |
| The GDPR Cookie Compliance plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the gdpr_cookie_compliance_reset_settings AJAX action in versions up to, and including, 4.0.2. This makes it possible for authenticated attackers to reset all of the settings. | ||||
| CVE-2020-36715 | 1 Xootix | 1 Login\/signup Popup | 2024-12-20 | 7.4 High |
| The Login/Signup Popup plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions in versions up to, and including, 1.4. This makes it possible for authenticated attackers to inject arbitrary web scripts into the plugin settings that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2020-36720 | 1 Kaliforms | 1 Kali Forms | 2024-12-20 | 7.1 High |
| The Kali Forms plugin for WordPress is vulnerable to Authenticated Options Change in versions up to, and including, 2.1.1. This is due to the update_option lacking proper authentication checks. This makes it possible for any authenticated attacker to change (or delete) the plugin's settings. | ||||
| CVE-2021-4366 | 1 Magazine3 | 1 Pwa For Wp \& Amp | 2024-12-20 | 6.3 Medium |
| The PWA for WP & AMP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the pwaforwp_update_features_options function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to change the otherwise restricted settings within the plugin. | ||||
| CVE-2021-4371 | 1 Pluginmirror | 1 Wp Quick Frontend Editor | 2024-12-20 | 4.3 Medium |
| The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Setting Changs in versions up to, and including, 5.5. This is due to lacking both a security nonce and a capabilities check. This makes it possible for low-authenticated attackers to change plugin settings even when they do not have the capabilities to do so. | ||||
| CVE-2021-4376 | 1 Palscode | 1 Woocommerce Multi Currency | 2024-12-20 | 4.3 Medium |
| The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value. | ||||
| CVE-2020-36729 | 1 2joomla | 1 2j Slideshow | 2024-12-20 | 5.4 Medium |
| The 2J-SlideShow Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'twoj_slideshow_setup' function called via the wp_ajax_twoj_slideshow_setup AJAX action in versions up to, and including, 1.3.31. This makes it possible for authenticated attackers (Subscriber, or above level access) to allow attackers to perform otherwise restricted actions and subsequently deactivate any plugins on the blog. | ||||
| CVE-2021-4383 | 1 Webdevocean | 1 Wp Quick Frontend Editor | 2024-12-20 | 8.1 High |
| The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to page content injection in versions up to, and including, 5.5. This is due to missing capability checks in the plugin's page-editing functionality. This makes it possible for low-authenticated attackers, such as subscribers, to edit/create any page or post on the blog. | ||||
| CVE-2023-2189 | 1 Staxwp | 1 Stax | 2024-12-20 | 4.3 Medium |
| The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the toggle_widget function in versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to enable or disable Elementor widgets. | ||||
| CVE-2023-2557 | 1 Pluginus | 1 Wordpress Currency Switcher Professional | 2024-12-20 | 4.3 Medium |
| The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save function in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit an arbitrary custom drop-down currency switcher. | ||||
| CVE-2024-12331 | 2024-12-20 | 4.3 Medium | ||
| The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_install_plugin' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Filebird plugin. | ||||
| CVE-2024-43222 | 1 Seventhqueen | 1 Sweet Date | 2024-12-20 | 9.8 Critical |
| Missing Authorization vulnerability in SeventhQueen Sweet Date.This issue affects Sweet Date: from n/a through 3.7.3. | ||||
| CVE-2017-13316 | 1 Google | 2 Android, Pixel | 2024-12-18 | 8.4 High |
| In checkPermissions of RecognitionService.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2018-9477 | 1 Google | 1 Android | 2024-12-18 | 7.8 High |
| In the development options section of the Settings app, there is a possible authentication bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2024-54466 | 1 Apple | 1 Macos | 2024-12-18 | 6.5 Medium |
| An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An encrypted volume may be accessed by a different user without prompting for the password. | ||||
| CVE-2018-9469 | 1 Google | 1 Android | 2024-12-18 | 8.4 High |
| In multiple functions of ShortcutService.java, there is a possible creation of a spoofed shortcut due to a missing permission check. This could lead to local escalation of privilege in a privileged app with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2024-43087 | 1 Google | 1 Android | 2024-12-18 | 8.4 High |
| In getInstalledAccessibilityPreferences of AccessibilitySettings.java, there is a possible way to hide an enabled accessibility service in the accessibility service settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | ||||