Archives: Reports
CVE ID:
CVE-2022-3883
WordPress Plugin
stopbadbots
Vulnerability Type:
Missing Authorization
Date:
2022-11-07
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the stopbadbots_install_plugin AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to install and activate arbitrary plugins from WordPress.org repository.
CVE ID:
CVE-2022-3946
WordPress Plugin
usc-e-shop
Vulnerability Type:
Missing Authorization
Date:
2022-11-07
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the shop_options_ajax AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to create, update and delete shipping methods.
CVE ID:
CVE-2022-3935
WordPress Plugin
usc-e-shop
Vulnerability Type:
Cross-Site Scripting (XSS),
Missing Authorization
Date:
2022-11-07
The plugin contains a Missing Authorization vulnerability due to a missing capability check in multiple AJAX actions, and it’s also contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for attackers to inject arbitrary web scripts.
CVE ID:
CVE-2022-4124
WordPress Plugin
popup-manager
Vulnerability Type:
Missing Authorization
Date:
2022-11-07
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the pm_delete_popup AJAX action, which makes it possible for unauthenticated attackers to delete arbitrary popup.
CVE ID:
CVE-2022-4125
WordPress Plugin
popup-manager
Vulnerability Type:
Cross-Site Scripting (XSS),
Missing Authorization
Date:
2022-11-07
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the pm_save_data AJAX action, which makes it possible for unauthenticated attackers to access popup update functionality. The plugin also contains a Cross-Site Scripting (XSS) vulnerability, due to the plugin does not sanitize and escape the popup_html parameter, which makes it possible to inject arbitrary web scripts.
CVE ID:
CVE-2022-3994
WordPress Plugin
authenticator
Vulnerability Type:
Denial of Service (DoS),
Missing Authorization
Date:
2022-11-07
The plugin does not prevent subscribers from updating a site’s feed access token, which may deny other users access to the functionality in certain configurations. The plugin contains a Missing Authorization vulnerability due to a missing capability check in the regenerate_token AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to update the site’s feed access token, which may deny other users access to the website.
CVE ID:
CVE-2022-3961
WordPress Plugin
directorist
Vulnerability Type:
Missing Authorization
Date:
2022-11-07
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the send_system_info and generate_url AJAX actions, which makes it possible for authenticated attackers with a role as low as subscriber to extract sensitive data including system information.
CVE ID:
CVE-2022-3894
WordPress Plugin
oauth2-provider
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-11-07
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the wo_remove_client AJAX action, which makes it possible for attackers to delete arbitrary post because the post type check is also missing via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-3923
WordPress Plugin
activecampaign-for-woocommerce
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Missing Authorization
Date:
2022-11-07
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the activecampaign_for_woocommerce_clear_error_log AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to delete error logs.
CVE ID:
CVE-2022-3891
WordPress Plugin
wp-fullcalendar
Vulnerability Type:
Missing Authorization,
Sensitive Data Disclosure
Date:
2022-11-07
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the wpfc_qtip_content AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to extract sensitive data including post content of a draft, private or password-protected post.
CVE ID:
CVE-2022-3892
WordPress Plugin
oauth2-provider
Vulnerability Type:
Cross-Site Scripting (XSS)
Date:
2022-11-07
The plugin contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for authenticated attackers with a role as low as administrator to inject arbitrary web scripts.
CVE ID:
CVE-2022-3937
WordPress Plugin
easy-video-player
Vulnerability Type:
Cross-Site Scripting (XSS)
Date:
2022-11-07
The plugin contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for authenticated users with a role as low as contributor to inject arbitrary web scripts into pages.
CVE ID:
CVE-2022-43472
WordPress Plugin
eroom-zoom-meetings-webinar
Vulnerability Type:
Missing Authorization,
Sensitive Data Disclosure
Date:
2022-10-25
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the stm_wpcfto_get_settings AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to extract sensitive data including meeting’s data.
CVE ID:
CVE-2022-38063
WordPress Plugin
social-login-wp
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-17
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the social_login_update AJAX action, which makes it possible for attackers to update plugin settings via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-38456
WordPress Plugin
ajax-search-lite
Vulnerability Type:
Missing Authorization,
Sensitive Data Disclosure
Date:
2022-10-17
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the wd_search_cf AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to extract sensitive data including post metadata.
CVE ID:
CVE-2022-41655
WordPress Plugin
phone-orders-for-woocommerce
Vulnerability Type:
Missing Authorization,
Sensitive Data Disclosure
Date:
2022-10-17
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the phone-orders-for-woocommerce AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to extract sensitive data including user’s personal data.
CVE ID:
CVE-2022-43482
WordPress Plugin
appointment-booking-calendar
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when submitting feedback, which makes it possible for attackers to send feedback via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-41692
WordPress Plugin
appointment-hour-booking
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when submitting feedback, which makes it possible for attackers to send feedback via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2023-25037
WordPress Plugin
booking-calendar-contact-form
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when submitting feedback, which makes it possible for attackers to send feedback via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2023-28494
WordPress Plugin
contact-form-to-email
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when submitting feedback, which makes it possible for attackers to send feedback via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2023-27460
WordPress Plugin
cp-contact-form-with-paypal
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when submitting feedback, which makes it possible for attackers to send feedback via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2023-28492
WordPress Plugin
cp-multi-view-calendar
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when submitting feedback, which makes it possible for attackers to send feedback via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-41790
WordPress Plugin
wp-time-slots-booking-form
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when submitting feedback, which makes it possible for attackers to send feedback via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2023-41732
WordPress Plugin
cp-blocks
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the cp_feedback AJAX action, which makes it possible for attackers to submit feedback via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2023-26523
WordPress Plugin
calculated-fields-form
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when submitting feedback, which makes it possible for attackers to send feedback via a forged request if they can trick an administrator into performing an action such as clicking on a link.