Archives: Reports

WordPress Plugin

codepeople-post-map

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-10-14

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when submitting feedback, which makes it possible for attackers to send feedback via a forged request if they can trick an administrator into performing an action such as clicking on a link.

WordPress Plugin

search-in-place

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-10-14

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when submitting feedback, which makes it possible for attackers to send feedback via a forged request if they can trick an administrator into performing an action such as clicking on a link.

WordPress Plugin

dpt-oauth-client

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2022-10-10

The plugin contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for authenticated attackers with a role as low as administrator to inject arbitrary web scripts.

WordPress Plugin

dpt-oauth-client

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-10-10

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the dpt-oauth-ajax AJAX action, which makes it possible for attackers to perform actions via a forged request if they can trick an administrator into performing an action such as clicking on a link.

WordPress Plugin

wp-expand-tabs-free

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-10-03

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to an incorrect nonce check in multiple AJAX actions, which makes it possible for attackers to perform actions via a forged request if they can trick an administrator into performing an action such as clicking on a link.

WordPress Plugin

drag-and-drop-multiple-file-upload-for-woocommerce

Vulnerability Type:

Non-Arbitrary File Upload

Date:

2022-10-01

The plugin contains a Non-Arbitrary File Upload vulnerability due a missing form id check and an incorrect nonce check in the dnd_codedropz_upload_wc and dnd_codedropz_upload_delete_wc AJAX actions, which makes it possible for unauthenticated attackers to upload files to the server without it being assigned to an existing form and delete files from the server.

WordPress Plugin

wp-rest-api-authentication

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-09-13

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when updating its settings, which makes it possible for attackers to change them via a forged request if they can trick an administrator into performing an action such as clicking on a link.

WordPress Plugin

traffic-manager

Vulnerability Type:

Missing Authorization

Date:

2022-09-13

The plugin contains a Missing Authorization vulnerability due to a missing capability check in multiple AJAX actions, which makes it possible for authenticated attackers with a role as low as subscriber to access functionality.

WordPress Plugin

traffic-manager

Vulnerability Type:

Cross-Site Scripting (XSS),
Missing Authorization

Date:

2022-09-13

The plugin contains a Missing Authorization vulnerability due to a missing capability check in an AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to access functionality. The plugin also contains a Cross-Site Scripting (XSS) vulnerability, due to the plugin does not sanitize and escape some parameters, which makes it possible to inject arbitrary web scripts.

WordPress Plugin

nextgen-gallery

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-09-13

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the createNewThumb and rotateImage AJAX actions, which makes it possible for attackers to make logged in users with the nextgen_edit_gallery capability to modify the images via a forged request if they can trick an administrator into performing an action such as clicking on a link.

WordPress Plugin

image-zoom

Vulnerability Type:

Missing Authorization

Date:

2022-09-13

The plugin contains a Missing Authorization vulnerability due to a missing capability check in multiple AJAX actions, which makes it possible for authenticated attackers with a role as low as subscriber to access functionality.

WordPress Plugin

backup-scheduler

Vulnerability Type:

Missing Authorization

Date:

2022-09-13

The plugin contains a Missing Authorization vulnerability due to a missing capability check in multiple AJAX actions, which makes it possible for authenticated attackers with a role as low as subscriber to access functionality.

WordPress Plugin

favicon-switcher

Vulnerability Type:

Missing Authorization

Date:

2022-09-13

The plugin contains a Missing Authorization vulnerability due to a missing capability check in multiple AJAX actions, which makes it possible for authenticated attackers with a role as low as subscriber to access functionality.

WordPress Plugin

easy-appointments

Vulnerability Type:

Cross-Site Request Forgery (CSRF),
Cross-Site Scripting (XSS)

Date:

2022-09-13

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when creating employees and services, and it’s also contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for attackers to inject arbitrary web scripts into pages via a forged request if they can trick an administrator into performing an action such as clicking on a link.

WordPress Plugin

sunshine-photo-cart

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-09-09

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the sunshine_update_image_location AJAX action, which makes it possible for attackers to update image location via a forged request if they can trick an administrator into performing an action such as clicking on a link.

WordPress Plugin

sunshine-photo-cart

Vulnerability Type:

Missing Authorization

Date:

2022-09-09

The plugin contains a Missing Authorization vulnerability due to a missing capability check in the sunshine_file_save AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to copy the gallery files to another folder.

WordPress Plugin

wp-custom-cursors

Vulnerability Type:

Cross-Site Request Forgery (CSRF),
Cross-Site Scripting (XSS)

Date:

2022-09-07

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when creating and editing cursors, and it’s also contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for attackers to inject arbitrary web scripts into pages via a forged request if they can trick an administrator into performing an action such as clicking on a link.

WordPress Plugin

wp-custom-cursors

Vulnerability Type:

SQL Injection

Date:

2022-09-07

The plugin contains an SQL Injection vulnerability due to the plugin does not properly sanitize and escape the edit_row parameter before using it in an SQL query, which makes it possible for authenticated attackers with a role as low as administrator to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

WordPress Plugin

wp-custom-cursors

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-09-07

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check when deleting cursors, which makes it possible for attackers to made a logged in admin delete arbitrary cursors via a forged request if they can trick an administrator into performing an action such as clicking on a link.

WordPress Plugin

woo-shipping-dpd-baltic

Vulnerability Type:

Missing Authorization

Date:

2022-09-07

The plugin contains a Missing Authorization vulnerability due to a missing capability check in the delete_warehouse AJAX action, which makes it possible for authenticated attackers with a role as low as subscriber to delete arbitrary site options, which could make the blog unavailable.

WordPress Plugin

woo-shipping-dpd-baltic

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2022-09-07

The plugin contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for authenticated attackers with a role as low as administrator to inject arbitrary web scripts.

WordPress Plugin

billingo

Vulnerability Type:

Cross-Site Scripting (XSS)

Date:

2022-09-07

The plugin contains a Cross-Site Scripting (XSS) vulnerability due to the plugin does not sanitize and escape some parameters, which makes it possible for authenticated attackers with a role as low as shop manager to inject arbitrary web scripts.

WordPress Plugin

integration-for-szamlazzhu-woocommerce

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-09-07

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the wc_szamlazz_license_deactivate AJAX action, which makes it possible for attackers to deactivate the plugin’s license via a forged request if they can trick an administrator into performing an action such as clicking on a link.

WordPress Plugin

hungarian-pickup-points-for-woocommerce

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-09-07

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the vp_woo_pont_license_deactivate AJAX action, which makes it possible for attackers to deactivate the plugin’s license via a forged request if they can trick an administrator into performing an action such as clicking on a link.

WordPress Plugin

woo-billingo-plus

Vulnerability Type:

Cross-Site Request Forgery (CSRF)

Date:

2022-09-07

The plugin contains a Cross-Site Request Forgery (CSRF) vulnerability due to a missing nonce check in the wc_billingo_plus_license_deactivate AJAX action, which makes it possible for attackers to deactivate the plugin’s license via a forged request if they can trick an administrator into performing an action such as clicking on a link.