Total
4618 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0236 | 1 Vjinfotech | 2 Wp Import Export, Wp Import Export Lite | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data. This affects versions up to, and including, 3.9.15. | |||||
| CVE-2022-0203 | 1 Craterapp | 1 Crater | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Improper Access Control in GitHub repository crater-invoice/crater prior to 6.0.2. | |||||
| CVE-2022-0179 | 1 Snipeitapp | 1 Snipe-it | 2024-11-21 | 4.9 MEDIUM | 5.4 MEDIUM |
| snipe-it is vulnerable to Missing Authorization | |||||
| CVE-2022-0178 | 1 Snipeitapp | 1 Snipe-it | 2024-11-21 | 5.5 MEDIUM | 6.3 MEDIUM |
| Missing Authorization vulnerability in snipe snipe/snipe-it.This issue affects snipe/snipe-i before 5.3.8. | |||||
| CVE-2022-0163 | 1 Rednao | 1 Smart Forms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Smart Forms WordPress plugin before 2.6.71 does not have authorisation in its rednao_smart_forms_entries_list AJAX action, allowing any authenticated users, such as subscriber, to download arbitrary form's data, which could include sensitive information such as PII depending on the form. | |||||
| CVE-2022-0152 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to unauthorized access to some particular fields through the GraphQL API. | |||||
| CVE-2022-0125 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to import members from a target project. | |||||
| CVE-2021-4388 | 1 Wpopal | 1 Opal Estate | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Opal Estate plugin for WordPress is vulnerable to featured property modifications in versions up to, and including, 1.6.11. This is due to missing capability checks on the opalestate_set_feature_property() and opalestate_remove_feature_property() functions. This makes it possible for unauthenticated attackers to set and remove featured properties. | |||||
| CVE-2021-4383 | 1 Webdevocean | 1 Wp Quick Frontend Editor | 2024-11-21 | N/A | 8.1 HIGH |
| The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to page content injection in versions up to, and including, 5.5. This is due to missing capability checks in the plugin's page-editing functionality. This makes it possible for low-authenticated attackers, such as subscribers, to edit/create any page or post on the blog. | |||||
| CVE-2021-4381 | 1 Stylemixthemes | 1 Ulisting | 2024-11-21 | N/A | 9.8 CRITICAL |
| The uListing plugin for WordPress is vulnerable to authorization bypass via wp_route due to missing capability checks, and a missing security nonce, in the StmListingSingleLayout::import_new_layout method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database. | |||||
| CVE-2021-4376 | 1 Palscode | 1 Woocommerce Multi Currency | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value. | |||||
| CVE-2021-4374 | 1 Valvepress | 1 Wordpress Automatic Plugin | 2024-11-21 | N/A | 9.1 CRITICAL |
| The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing authorization and option validation in the process_form.php file. This makes it possible for unauthenticated attackers to arbitrarily update the settings of a vulnerable site and ultimately compromise the entire site. | |||||
| CVE-2021-4371 | 1 Pluginmirror | 1 Wp Quick Frontend Editor | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Setting Changs in versions up to, and including, 5.5. This is due to lacking both a security nonce and a capabilities check. This makes it possible for low-authenticated attackers to change plugin settings even when they do not have the capabilities to do so. | |||||
| CVE-2021-4370 | 1 Stylemixthemes | 1 Ulisting | 2024-11-21 | N/A | 9.8 CRITICAL |
| The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to conduct numerous administrative actions, including those less critical than the explicitly outlined ones in our detection. | |||||
| CVE-2021-4369 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2024-11-21 | N/A | 5.8 MEDIUM |
| The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Content Injection in versions up to, and including, 18.2. This is due to lacking authorization protections, checks against users editing other's posts, and lacking a security nonce, all on the wpfm_edit_file_title_desc AJAX action. This makes it possible for unauthenticated attackers to edit the content and title of every page on the site. | |||||
| CVE-2021-4368 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2024-11-21 | N/A | 9.9 CRITICAL |
| The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This is due to lacking capability checks and a security nonce, all on the wpfm_save_settings AJAX action. This makes it possible for subscriber-level attackers to edit the plugin settings, such as the allowed upload file types. This can lead to remote code execution through other vulnerabilities. | |||||
| CVE-2021-4366 | 1 Magazine3 | 1 Pwa For Wp \& Amp | 2024-11-21 | N/A | 6.3 MEDIUM |
| The PWA for WP & AMP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the pwaforwp_update_features_options function in versions up to, and including, 1.7.32. This makes it possible for authenticated attackers to change the otherwise restricted settings within the plugin. | |||||
| CVE-2021-4364 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-11-21 | N/A | 4.3 MEDIUM |
| The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_add_job_import_schedule_call() function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to add and/or modify schedule calls. | |||||
| CVE-2021-4362 | 1 Wpkube | 1 Kiwi Social Share | 2024-11-21 | N/A | 9.8 CRITICAL |
| The Kiwi Social Share plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the kiwi_social_share_get_option() function called via the kiwi_social_share_get_option AJAX action in version 2.1.0. This makes it possible for unauthenticated attackers to read and modify arbitrary options on a WordPress site that can be used for complete site takeover. This was a previously fixed vulnerability that was reintroduced in this version. | |||||
| CVE-2021-4361 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-11-21 | N/A | 8.8 HIGH |
| The JobSearch WP Job Board plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the jobsearch_job_integrations_settin_save AJAX action in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers to update arbitrary options on the site. | |||||