Total
4661 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6369 | 1 Myrecorp | 1 Export Wp Page To Static Html\/css | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 2.1.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to disclose sensitive information or perform unauthorized actions, such as saving advanced plugin settings. | |||||
| CVE-2023-6279 | 1 Wootsify | 1 Sites Library | 2024-11-21 | N/A | 7.1 HIGH |
| The Woostify Sites Library WordPress plugin before 1.4.8 does not have authorisation in an AJAX action, allowing any authenticated users, such as subscriber to update arbitrary blog options and set them to 'activated' which could lead to DoS when using a specific option name | |||||
| CVE-2023-6158 | 1 Myeventon | 2 Eventon, Eventon-lite | 2024-11-21 | N/A | 6.5 MEDIUM |
| The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evo_eventpost_update_meta function in all versions up to, and including, 4.5.4 (for Pro) and 2.2.7 (for free). This makes it possible for unauthenticated attackers to update and remove arbitrary post metadata. Note that certain parameters may allow for content injection. | |||||
| CVE-2023-6066 | 1 Kishorkhambu | 1 Wp Custom Widget Area | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WP Custom Widget area WordPress plugin through 1.2.5 does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site. | |||||
| CVE-2023-6048 | 1 Estatik | 1 Estatik | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset | |||||
| CVE-2023-6038 | 1 H2o | 1 H2o | 2024-11-21 | N/A | 7.5 HIGH |
| A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3. | |||||
| CVE-2023-6029 | 1 Spider-themes | 1 Eazydocs | 2024-11-21 | N/A | 7.5 HIGH |
| The EazyDocs WordPress plugin before 2.3.6 does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing unauthenticated users to delete arbitrary posts, as well as add and delete documents/sections. | |||||
| CVE-2023-6020 | 1 Ray Project | 1 Ray | 2024-11-21 | N/A | 7.5 HIGH |
| LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. | |||||
| CVE-2023-6007 | 1 Userproplugin | 1 Userpro | 2024-11-21 | N/A | 7.3 HIGH |
| The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options. | |||||
| CVE-2023-6001 | 1 Yugabyte | 1 Yugabytedb | 2024-11-21 | N/A | 5.3 MEDIUM |
| Prometheus metrics are available without authentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment. | |||||
| CVE-2023-5949 | 1 Wpmudev | 1 Smartcrawl | 2024-11-21 | N/A | 7.5 HIGH |
| The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthorised users from accessing password-protected posts' content. | |||||
| CVE-2023-5905 | 1 Demomentsomtres | 1 Export Posts With Images | 2024-11-21 | N/A | 8.1 HIGH |
| The DeMomentSomTres WordPress Export Posts With Images WordPress plugin through 20220825 does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog, including restricted and unpublished posts, as well as passwords of protected posts. | |||||
| CVE-2023-5877 | 1 Servit | 1 Affiliate-toolkit | 2024-11-21 | N/A | 9.8 CRITICAL |
| The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue. | |||||
| CVE-2023-5862 | 1 Hamza417 | 1 Inure | 2024-11-21 | N/A | 3.3 LOW |
| Missing Authorization in GitHub repository hamza417/inure prior to Build95. | |||||
| CVE-2023-5737 | 1 Webtoffee | 1 Backup And Migration | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings. | |||||
| CVE-2023-5714 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_db_specs() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve data key specs. | |||||
| CVE-2023-5713 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_option_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve potentially sensitive option values, and deserialize the content of those values. | |||||
| CVE-2023-5712 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_global_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive global value information. | |||||
| CVE-2023-5711 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_php_info() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information provided by PHP info. | |||||
| CVE-2023-5710 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_constants() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information such as database credentials. | |||||