Total
2641 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3946 | 1 Collne | 1 Welcart E-commerce | 2023-11-07 | N/A | 6.5 MEDIUM |
| The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods. | |||||
| CVE-2022-3923 | 1 Activecampaign | 1 Activecampaign For Woocommerce | 2023-11-07 | N/A | 4.3 MEDIUM |
| The ActiveCampaign for WooCommerce WordPress plugin before 1.9.8 does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs. | |||||
| CVE-2022-3911 | 1 Iubenda | 1 Iubenda-cookie-law-solution | 2023-11-07 | N/A | 8.8 HIGH |
| The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges, such as edit_plugins etc | |||||
| CVE-2022-3622 | 1 Adenion | 1 Blog2social | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Blog2Social plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in versions up to, and including, 6.9.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change some plugin settings intended to be modifiable by admins only. | |||||
| CVE-2022-3512 | 1 Cloudflare | 1 Warp | 2023-11-07 | N/A | 8.8 HIGH |
| Using warp-cli command "add-trusted-ssid", a user was able to disconnect WARP client and bypass the "Lock WARP switch" feature resulting in Zero Trust policies not being enforced on an affected endpoint. | |||||
| CVE-2022-3400 | 1 Bricksbuilder | 1 Bricks | 2023-11-07 | N/A | 6.5 MEDIUM |
| The Bricks theme for WordPress is vulnerable to authorization bypass due to a missing capability check on the bricks_save_post AJAX action in versions 1.0 to 1.5.3. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to edit any page, post, or template on the vulnerable WordPress website. | |||||
| CVE-2022-3337 | 1 Cloudflare | 1 Warp Mobile Client | 2023-11-07 | N/A | 8.5 HIGH |
| It was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch feature being enabled on Zero Trust Platform. This led to bypassing policies and restrictions enforced for enrolled devices by the Zero Trust platform. | |||||
| CVE-2022-3322 | 1 Cloudflare | 1 Warp Mobile Client | 2023-11-07 | N/A | 7.5 HIGH |
| Lock Warp switch is a feature of Zero Trust platform which, when enabled, prevents users of enrolled devices from disabling WARP client. Due to insufficient policy verification by WARP iOS client, this feature could be bypassed by using the "Disable WARP" quick action. | |||||
| CVE-2022-3321 | 1 Cloudflare | 1 Warp Mobile Client | 2023-11-07 | N/A | 8.2 HIGH |
| It was possible to bypass Lock WARP switch feature https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch on the WARP iOS mobile client by enabling both "Disable for cellular networks" and "Disable for Wi-Fi networks" switches at once in the application settings. Such configuration caused the WARP client to disconnect and allowed the user to bypass restrictions and policies enforced by the Zero Trust platform. | |||||
| CVE-2022-3320 | 1 Cloudflare | 1 Warp | 2023-11-07 | N/A | 9.8 CRITICAL |
| It was possible to bypass policies configured for Zero Trust Secure Web Gateway by using warp-cli 'set-custom-endpoint' subcommand. Using this command with an unreachable endpoint caused the WARP Client to disconnect and allowed bypassing administrative restrictions on a Zero Trust enrolled endpoint. | |||||
| CVE-2022-3082 | 1 Miniorange | 1 Discord Integration | 2023-11-07 | N/A | 6.5 MEDIUM |
| The miniOrange Discord Integration WordPress plugin before 2.1.6 does not have authorisation and CSRF in some of its AJAX actions, allowing any logged in users, such as subscriber to call them, and disable the app for example | |||||
| CVE-2022-36404 | 1 Coleds | 1 Simple Seo | 2023-11-07 | N/A | 5.4 MEDIUM |
| Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in David Cole Simple SEO (WordPress plugin) plugin <= 1.8.12 versions. | |||||
| CVE-2022-31595 | 1 Sap | 1 Adaptive Server Enterprise | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| SAP Financial Consolidation - version 1010,�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. | |||||
| CVE-2022-2552 | 1 Snapcreek | 1 Duplicator | 2023-11-07 | N/A | 5.3 MEDIUM |
| The Duplicator WordPress plugin before 1.4.7 does not authenticate or authorize visitors before displaying information about the system such as server software, php version and full file system path to the site. | |||||
| CVE-2022-2370 | 1 Yaycommerce | 1 Yaysmtp | 2023-11-07 | N/A | 6.5 MEDIUM |
| The YaySMTP WordPress plugin before 2.2.1 does not have capability check before displaying the Mailer Credentials in JS code for the settings, allowing any authenticated users, such as subscriber to retrieve them | |||||
| CVE-2022-2108 | 1 Wbcomdesigns | 1 Buddypress Group Reviews | 2023-11-07 | N/A | 5.3 MEDIUM |
| The plugin Wbcom Designs – BuddyPress Group Reviews for WordPress is vulnerable to unauthorized settings changes and review modification due to missing capability checks and improper nonce checks in several functions related to said actions in versions up to, and including, 2.8.3. This makes it possible for unauthenticated attackers to modify reviews and plugin settings on the affected site. | |||||
| CVE-2022-25810 | 1 Transposh | 1 Transposh Wordpress Translation | 2023-11-07 | N/A | 6.5 MEDIUM |
| The Transposh WordPress Translation WordPress plugin through 1.0.8 exposes a couple of sensitive actions such has “tp_reset” under the Utilities tab (/wp-admin/admin.php?page=tp_utils), which can be used/executed as the lowest-privileged user. Basically all Utilities functionalities are vulnerable this way, which involves resetting configurations and backup/restore operations. | |||||
| CVE-2022-23055 | 1 Frappe | 1 Erpnext | 2023-11-07 | 5.5 MEDIUM | N/A |
| In ERPNext, versions v11.0.0-beta through v13.0.2 are vulnerable to Missing Authorization, in the chat rooms functionality. A low privileged attacker can send a direct message or a group message to any member or group, impersonating themselves as the administrator. The attacker can also read chat messages of groups that they do not belong to, and of other users. | |||||
| CVE-2022-20736 | 1 Cisco | 1 Appdynamics Controller | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability in the web-based management interface of Cisco AppDynamics Controller Software could allow an unauthenticated, remote attacker to access a configuration file and the login page for an administrative console that they would not normally have authorization to access. This vulnerability is due to improper authorization checking for HTTP requests that are submitted to the affected web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected instance of AppDynamics Controller. A successful exploit could allow the attacker to access the login page for an administrative console. AppDynamics has released software updates that address this vulnerability. | |||||
| CVE-2022-1574 | 1 Html2wp Project | 1 Html2wp | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
| The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks when importing files, and does not validate them, as a result, unauthenticated attackers can upload arbitrary files (such as PHP) on the remote server | |||||