Total
2641 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-4947 | 1 Wpfactory | 1 Ean For Woocommerce | 2023-11-07 | N/A | 4.3 MEDIUM |
| The WooCommerce EAN Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_ean_data AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above, to update EAN numbers for orders. | |||||
| CVE-2023-4943 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2023-11-07 | N/A | 4.3 MEDIUM |
| The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_visibility function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products. | |||||
| CVE-2023-4941 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2023-11-07 | N/A | 4.3 MEDIUM |
| The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_swap function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products. | |||||
| CVE-2023-4938 | 1 Pluginus | 1 Bear - Woocommerce Bulk Editor And Products Manager Professional | 2023-11-07 | N/A | 4.3 MEDIUM |
| The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_apply_default_combination function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products. | |||||
| CVE-2023-4668 | 1 Ad Inserter Project | 1 Ad Inserter | 2023-11-07 | N/A | 7.5 HIGH |
| The Ad Inserter for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.30 via the ai-debug-processing-fe URL parameter. This can allow unauthenticated attackers to extract sensitive data including installed plugins (present and active), active theme, various plugin settings, WordPress version, as well as some server settings such as memory limit, installation paths. | |||||
| CVE-2023-4645 | 1 Igorfuna | 1 Ad Inserter | 2023-11-07 | N/A | 5.3 MEDIUM |
| The Ad Inserter for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.30 via the ai_ajax function. This can allow unauthenticated attackers to extract sensitive data such as post titles and slugs (including those of protected posts along with their passwords), usernames, available roles, the plugin license key provided the remote debugging option is enabled. In the default state it is disabled. | |||||
| CVE-2023-4282 | 1 Wpdeveloper | 1 Embedpress | 2023-11-07 | N/A | 4.3 MEDIUM |
| The EmbedPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'admin_post_remove' and 'remove_private_data' functions in versions up to, and including, 3.8.2. This makes it possible for authenticated attackers with subscriber privileges or above, to delete plugin settings. | |||||
| CVE-2023-4059 | 1 Cozmoslabs | 1 Profile Builder | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Profile Builder WordPress plugin before 3.9.8 lacks authorisation and CSRF in its page creation function which allows unauthenticated users to create the register, log-in and edit-profile pages from the plugin on the blog | |||||
| CVE-2023-3999 | 1 Plugin | 1 Waiting | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on its AJAX calls in versions up to, and including, 0.6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to create and delete countdowns as well as manipulate other plugin settings. | |||||
| CVE-2023-3998 | 1 Gvectors | 1 Wpdiscuz | 2023-11-07 | N/A | 5.3 MEDIUM |
| The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the userRate function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a post. | |||||
| CVE-2023-3869 | 1 Gvectors | 1 Wpdiscuz | 2023-11-07 | N/A | 5.3 MEDIUM |
| The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a comment. | |||||
| CVE-2023-3076 | 1 Inspireui | 1 Mstore Api | 2023-11-07 | N/A | 9.8 CRITICAL |
| The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. This is only exploitable if the site owner paid to access the plugin's pro features. | |||||
| CVE-2023-3053 | 1 Azexo | 1 Page Builder With Image Map By Azexo | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Page Builder by AZEXO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'azh_add_post' function in versions up to, and including, 1.27.133. This makes it possible for authenticated attackers to create a post with any post type and post status. | |||||
| CVE-2023-36140 | 1 Phpjabbers | 1 Cleaning Business Software | 2023-11-07 | N/A | 9.8 CRITICAL |
| In PHPJabbers Cleaning Business Software 1.0, there is no encryption on user passwords allowing an attacker to gain access to all user accounts. | |||||
| CVE-2023-30969 | 1 Palantir | 1 Tiles | 2023-11-07 | N/A | 6.5 MEDIUM |
| The Palantir Tiles1 service was found to be vulnerable to an API wide issue where the service was not performing authentication/authorization on all the endpoints. | |||||
| CVE-2023-30950 | 1 Palantir | 1 Foundry Campaigns | 2023-11-07 | N/A | 5.9 MEDIUM |
| The foundry campaigns service was found to be vulnerable to an unauthenticated information disclosure in a rest endpoint | |||||
| CVE-2023-30948 | 1 Palantir | 1 Foundry Comments | 2023-11-07 | N/A | 6.5 MEDIUM |
| A security defect in Foundry's Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it's content. This defect was fixed in Foundry Comments 2.249.0, and a patch was rolled out to affected Foundry environments. No further intervention is required at this time. | |||||
| CVE-2023-2796 | 1 Myeventon | 1 Eventon | 2023-11-07 | N/A | 5.3 MEDIUM |
| The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id. | |||||
| CVE-2023-2716 | 1 Groundhogg | 1 Groundhogg | 2023-11-07 | N/A | 5.4 MEDIUM |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload a file to the contact, and then lists all the other uploaded files related to the contact. | |||||
| CVE-2023-2715 | 1 Groundhogg | 1 Groundhogg | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers to create a support ticket that sends the website's data to the plugin developer, and it is also possible to create an admin access with an auto login link that is also sent to the plugin developer with the ticket. It only works if the plugin is activated with a valid license. | |||||