Archives: Reports
CVE ID:
CVE-2023-25039
WordPress Plugin
codepeople-post-map
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when submitting feedback, which makes it possible for attackers to send feedback via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2023-26521
WordPress Plugin
search-in-place
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-14
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when submitting feedback, which makes it possible for attackers to send feedback via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-3631
WordPress Plugin
dpt-oauth-client
Vulnerability Type:
Cross-Site Scripting (XSS)
Date:
2022-10-10
The plugin contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for authenticated attackers with a role as low as administrator to inject arbitrary web scripts.
CVE ID:
CVE-2022-3632
WordPress Plugin
dpt-oauth-client
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-10
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the dpt-oauth-ajax AJAX action, which makes it possible for attackers to perform actions via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2023-25065
WordPress Plugin
wp-expand-tabs-free
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-10-03
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to an incorrect nonce check in multiple AJAX actions, which makes it possible for attackers to perform actions via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-45377
WordPress Plugin
drag-and-drop-multiple-file-upload-for-woocommerce
Vulnerability Type:
Non-Arbitrary File Upload
Date:
2022-10-01
The plugin contains a Non-Arbitrary File Upload vulnerability due a missing form id check and an incorrect nonce check in the dnd_codedropz_upload_wc and dnd_codedropz_upload_delete_wc AJAX actions, which makes it possible for unauthenticated attackers to upload files to the server without it being assigned to an existing form and delete files from the server.
CVE ID:
CVE-2022-45073
WordPress Plugin
wp-rest-api-authentication
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-09-13
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when updating its settings, which makes it possible for attackers to change them via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-41695
WordPress Plugin
traffic-manager
Vulnerability Type:
Missing Authorization
Date:
2022-09-13
The plugin contains a Missing Authorization vulnerability due to a missing capability check in multiple AJAX actions, which makes it possible for authenticated attackers with a role as low as subscriber to access functionality.
CVE ID:
CVE-2022-42460
WordPress Plugin
traffic-manager
Vulnerability Type:
Cross-Site Scripting (XSS),
Missing Authorization
Date:
2022-09-13
The plugin contains a Missing Authorization vulnerability due to a missing capability check in an AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to access functionality. The plugin also contains a Cross-Site Scripting (XSS) vulnerability, due to the plugin does not sanitize and escape some parameters, which makes it possible to inject arbitrary web scripts.
CVE ID:
CVE-2022-38468
WordPress Plugin
nextgen-gallery
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-09-13
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the createNewThumb and rotateImage AJAX actions, which makes it possible for attackers to make logged in users with the nextgen_edit_gallery capability to modify the images via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-41619
WordPress Plugin
image-zoom
Vulnerability Type:
Missing Authorization
Date:
2022-09-13
The plugin contains a Missing Authorization vulnerability due to a missing capability check in multiple AJAX actions, which makes it possible for authenticated attackers with a role as low as subscriber to access functionality.
CVE ID:
CVE-2022-38079
WordPress Plugin
backup-scheduler
Vulnerability Type:
Missing Authorization
Date:
2022-09-13
The plugin contains a Missing Authorization vulnerability due to a missing capability check in multiple AJAX actions, which makes it possible for authenticated attackers with a role as low as subscriber to access functionality.
CVE ID:
CVE-2022-40219
WordPress Plugin
favicon-switcher
Vulnerability Type:
Missing Authorization
Date:
2022-09-13
The plugin contains a Missing Authorization vulnerability due to a missing capability check in multiple AJAX actions, which makes it possible for authenticated attackers with a role as low as subscriber to access functionality.
CVE ID:
CVE-2022-36424
WordPress Plugin
easy-appointments
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Cross-Site Scripting (XSS)
Date:
2022-09-13
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when creating employees and services, and it’s also contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for attackers to inject arbitrary web scripts into pages via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-40692
WordPress Plugin
sunshine-photo-cart
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-09-09
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the sunshine_update_image_location AJAX action, which makes it possible for attackers to update image location via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-45826
WordPress Plugin
sunshine-photo-cart
Vulnerability Type:
Missing Authorization
Date:
2022-09-09
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the sunshine_file_save AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to copy the gallery files to another folder.
CVE ID:
CVE-2022-3149
WordPress Plugin
wp-custom-cursors
Vulnerability Type:
Cross-Site Request Forgery (CSRF),
Cross-Site Scripting (XSS)
Date:
2022-09-07
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when creating and editing cursors, and it’s also contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for attackers to inject arbitrary web scripts into pages via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-3150
WordPress Plugin
wp-custom-cursors
Vulnerability Type:
SQL Injection
Date:
2022-09-07
The plugin contains an SQL Injection vulnerability due to the plugin does not properly sanitize and escape the edit_row parameter before using it in an SQL query, which makes it possible for authenticated attackers with a role as low as administrator to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE ID:
CVE-2022-3151
WordPress Plugin
wp-custom-cursors
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-09-07
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when deleting cursors, which makes it possible for attackers to made a logged in admin delete arbitrary cursors via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-3999
WordPress Plugin
woo-shipping-dpd-baltic
Vulnerability Type:
Missing Authorization
Date:
2022-09-07
The plugin contains a Missing Authorization vulnerability due to a missing capability check in the delete_warehouse AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to delete arbitrary site options, which could make the blog unavailable.
CVE ID:
CVE-2022-4000
WordPress Plugin
woo-shipping-dpd-baltic
Vulnerability Type:
Cross-Site Scripting (XSS)
Date:
2022-09-07
The plugin contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for authenticated attackers with a role as low as administrator to inject arbitrary web scripts.
CVE ID:
CVE-2022-3420
WordPress Plugin
billingo
Vulnerability Type:
Cross-Site Scripting (XSS)
Date:
2022-09-07
The plugin contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for authenticated attackers with a role as low as shop manager to inject arbitrary web scripts.
CVE ID:
CVE-2022-41685
WordPress Plugin
integration-for-szamlazzhu-woocommerce
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-09-07
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the wc_szamlazz_license_deactivate AJAX action, which makes it possible for attackers to deactivate the plugin’s license via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-41685
WordPress Plugin
hungarian-pickup-points-for-woocommerce
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-09-07
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the vp_woo_pont_license_deactivate AJAX action, which makes it possible for attackers to deactivate the plugin’s license via a forged request if they can trick an administrator into performing an action such as clicking on a link.
CVE ID:
CVE-2022-3154
WordPress Plugin
woo-billingo-plus
Vulnerability Type:
Cross-Site Request Forgery (CSRF)
Date:
2022-09-07
The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the wc_billingo_plus_license_deactivate AJAX action, which makes it possible for attackers to deactivate the plugin’s license via a forged request if they can trick an administrator into performing an action such as clicking on a link.