Filtered by vendor Givewp
Subscribe
Total
45 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-47315 | 1 Givewp | 1 Givewp | 2024-09-30 | N/A | 5.4 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in GiveWP.This issue affects GiveWP: from n/a through 3.15.1. | |||||
| CVE-2024-5932 | 1 Givewp | 1 Givewp | 2024-08-26 | N/A | 10.0 CRITICAL |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files. | |||||
| CVE-2024-5941 | 1 Givewp | 1 Givewp | 2024-08-26 | N/A | 5.4 MEDIUM |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.14.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read attachment paths and delete attachment files. | |||||
| CVE-2024-5940 | 1 Givewp | 1 Givewp | 2024-08-26 | N/A | 6.5 MEDIUM |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to edit event ticket settings if the Events beta feature is enabled. | |||||
| CVE-2024-5939 | 1 Givewp | 1 Givewp | 2024-08-26 | N/A | 5.3 MEDIUM |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to read the setup wizard administrative pages. | |||||