Total
5731 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-4975 | 1 Seedprod | 1 Website Builder By Seedprod | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Website Builder by SeedProd plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.15.13.1. This is due to missing or incorrect nonce validation on functionality in the builder.php file. This makes it possible for unauthenticated attackers to change the stripe connect token via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-4959 | 1 Redhat | 1 Quay | 2023-11-07 | N/A | 6.5 MEDIUM |
| A flaw was found in Quay. Cross-site request forgery (CSRF) attacks force a user to perform unwanted actions in an application. During the pentest, it was detected that the config-editor page is vulnerable to CSRF. The config-editor page is used to configure the Quay instance. By coercing the victim’s browser into sending an attacker-controlled request from another domain, it is possible to reconfigure the Quay instance (including adding users with admin privileges). | |||||
| CVE-2023-4942 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2023-11-07 | N/A | 4.3 MEDIUM |
| The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_visibility function. This makes it possible for unauthenticated attackers to manipulate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-4940 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2023-11-07 | N/A | 4.3 MEDIUM |
| The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_swap function. This makes it possible for unauthenticated attackers to manipulate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-4937 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2023-11-07 | N/A | 4.3 MEDIUM |
| The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_apply_default_combination function. This makes it possible for unauthenticated attackers to manipulate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-4935 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2023-11-07 | N/A | 4.3 MEDIUM |
| The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the create_profile function. This makes it possible for unauthenticated attackers to create profiles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-4926 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2023-11-07 | N/A | 4.3 MEDIUM |
| The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulk_delete_products function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-4924 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2023-11-07 | N/A | 4.3 MEDIUM |
| The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to missing capability checks on the woobe_bulkoperations_delete function. This makes it possible for authenticated attackers, with subscriber access or higher, to delete products. | |||||
| CVE-2023-4923 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2023-11-07 | N/A | 4.3 MEDIUM |
| The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_delete function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-4920 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2023-11-07 | N/A | 8.8 HIGH |
| The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_save_options function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, input sanitization and escaping is insufficient resulting in the possibility of malicious script injection. | |||||
| CVE-2023-4059 | 1 Cozmoslabs | 1 Profile Builder | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Profile Builder WordPress plugin before 3.9.8 lacks authorisation and CSRF in its page creation function which allows unauthenticated users to create the register, log-in and edit-profile pages from the plugin on the blog | |||||
| CVE-2023-40671 | 1 Daxiawp | 1 Dx-auto-save-images | 2023-11-07 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in 大侠wp DX-auto-save-images plugin <= 1.4.0 versions. | |||||
| CVE-2023-3356 | 1 Kreci | 1 Subscribers Text Counter | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Subscribers Text Counter WordPress plugin before 1.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping | |||||
| CVE-2023-3254 | 1 Trustedindex | 1 Widgets For Google Reviews | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Widgets for Google Reviews plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 10.9. This is due to missing or incorrect nonce validation within setup_no_reg_header.php. This makes it possible for unauthenticated attackers to reset plugin settings and remove reviews via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-3203 | 1 Inspireui | 1 Mstore Api | 2023-11-07 | N/A | 4.3 MEDIUM |
| The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_limit_product function. This makes it possible for unauthenticated attackers to update limit the number of product per category to use cache data in home screen via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-3055 | 1 Azexo | 1 Page Builder With Image Map By Azexo | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the 'azh_save' function. This makes it possible for unauthenticated attackers to update the post content and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-3052 | 1 Azexo | 1 Page Builder With Image Map By Azexo | 2023-11-07 | N/A | 8.8 HIGH |
| The Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the 'azh_add_post', 'azh_duplicate_post', 'azh_update_post' and 'azh_remove_post' functions. This makes it possible for unauthenticated attackers to create, modify, and delete a post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2736 | 1 Groundhogg | 1 Groundhogg | 2023-11-07 | N/A | 8.0 HIGH |
| The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation in the 'ajax_edit_contact' function. This makes it possible for authenticated attackers to receive the auto login link via shortcode and then modify the assigned user to the auto login link to elevate verified user privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-2717 | 1 Groundhogg | 1 Groundhogg | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation on the 'enable_safe_mode' function. This makes it possible for unauthenticated attackers to enable safe mode, which disables all other plugins, via a forged request if they can successfully trick an administrator into performing an action such as clicking on a link. A warning message about safe mode is displayed to the admin, which can be easily disabled. | |||||
| CVE-2023-2608 | 1 Themeisle | 1 Multiple Page Generator | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Multiple Page Generator Plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to time-based SQL Injection via the orderby and order parameters in versions up to, and including, 3.3.17 due to missing nonce verification on the projects_list function and insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries leading to resource exhaustion via a forged request granted they can trick an administrator into performing an action such as clicking on a link. Version 3.3.18 addresses the SQL Injection, which drastically reduced the severity. | |||||