Total
4649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6700 | 1 Cookieinformation | 1 Wp-gdpr-compliance | 2024-11-21 | N/A | 8.8 HIGH |
| The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts. | |||||
| CVE-2023-6696 | 1 Sygnoos | 1 Popup Builder | 2024-11-21 | N/A | 8.1 HIGH |
| The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 4.3.1. While some functions contain a nonce check, the nonce can be obtained from the profile page of a logged-in user. This allows subscribers to perform several actions including deleting subscribers and perform blind Server-Side Request Forgery. | |||||
| CVE-2023-6638 | 1 Gutengeek | 1 Gg Woo Feed | 2024-11-21 | N/A | 6.5 MEDIUM |
| The GTG Product Feed for Shopping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_settings' function in versions up to, and including, 1.2.4. This makes it possible for unauthenticated attackers to update plugin settings. | |||||
| CVE-2023-6637 | 1 Daan | 1 Complete Analytics Optimization Suite | 2024-11-21 | N/A | 6.5 MEDIUM |
| The CAOS | Host Google Analytics Locally plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_settings' function in versions up to, and including, 4.7.14. This makes it possible for unauthenticated attackers to update plugin settings. | |||||
| CVE-2023-6598 | 1 Softaculous | 1 Speedycache | 2024-11-21 | N/A | 4.3 MEDIUM |
| The SpeedyCache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the speedycache_save_varniship, speedycache_img_update_settings, speedycache_preloading_add_settings, and speedycache_preloading_delete_resource functions in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update plugin options. | |||||
| CVE-2023-6554 | 1 Tecnick | 1 Tcexam | 2024-11-21 | N/A | 6.5 MEDIUM |
| When access to the "admin" folder is not protected by some external authorization mechanisms e.g. Apache Basic Auth, it is possible for any user to download protected information like exam answers. | |||||
| CVE-2023-6504 | 1 Cozmoslabs | 1 Profile Builder | 2024-11-21 | N/A | 4.3 MEDIUM |
| The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wppb_toolbox_usermeta_handler function in all versions up to, and including, 3.10.7. This makes it possible for authenticated attackers, with contributor-level access and above, to expose sensitive information within user metadata. | |||||
| CVE-2023-6496 | 1 Freeamigos | 1 Manage Notification E-mails | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Manage Notification E-mails plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.8.5 via the card_famne_export_settings function. This makes it possible for unauthenticated attackers to obtain plugin settings. | |||||
| CVE-2023-6491 | 1 Wpchill | 1 Strong Testimonials | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. This makes it possible for authenticated attackers, with contributor access and above, to modify favorite views. | |||||
| CVE-2023-6394 | 2 Quarkus, Redhat | 2 Quarkus, Build Of Quarkus | 2024-11-21 | N/A | 7.4 HIGH |
| A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions. | |||||
| CVE-2023-6369 | 1 Myrecorp | 1 Export Wp Page To Static Html\/css | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 2.1.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to disclose sensitive information or perform unauthorized actions, such as saving advanced plugin settings. | |||||
| CVE-2023-6279 | 1 Wootsify | 1 Sites Library | 2024-11-21 | N/A | 7.1 HIGH |
| The Woostify Sites Library WordPress plugin before 1.4.8 does not have authorisation in an AJAX action, allowing any authenticated users, such as subscriber to update arbitrary blog options and set them to 'activated' which could lead to DoS when using a specific option name | |||||
| CVE-2023-6158 | 1 Myeventon | 2 Eventon, Eventon-lite | 2024-11-21 | N/A | 6.5 MEDIUM |
| The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evo_eventpost_update_meta function in all versions up to, and including, 4.5.4 (for Pro) and 2.2.7 (for free). This makes it possible for unauthenticated attackers to update and remove arbitrary post metadata. Note that certain parameters may allow for content injection. | |||||
| CVE-2023-6048 | 1 Estatik | 1 Estatik | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset | |||||
| CVE-2023-6038 | 1 H2o | 1 H2o | 2024-11-21 | N/A | 7.5 HIGH |
| An attacker is able to read any file on the server hosting the H2O dashboard without any authentication. | |||||
| CVE-2023-6029 | 1 Spider-themes | 1 Eazydocs | 2024-11-21 | N/A | 7.5 HIGH |
| The EazyDocs WordPress plugin before 2.3.6 does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing unauthenticated users to delete arbitrary posts, as well as add and delete documents/sections. | |||||
| CVE-2023-6020 | 1 Ray Project | 1 Ray | 2024-11-21 | N/A | 7.5 HIGH |
| LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. | |||||
| CVE-2023-6007 | 1 Userproplugin | 1 Userpro | 2024-11-21 | N/A | 7.3 HIGH |
| The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options. | |||||
| CVE-2023-6001 | 1 Yugabyte | 1 Yugabytedb | 2024-11-21 | N/A | 5.3 MEDIUM |
| Prometheus metrics are available without authentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment. | |||||
| CVE-2023-5949 | 1 Wpmudev | 1 Smartcrawl | 2024-11-21 | N/A | 7.5 HIGH |
| The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthorised users from accessing password-protected posts' content. | |||||