Total
3177 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5877 | 1 Servit | 1 Affiliate-toolkit | 2024-11-21 | N/A | 9.8 CRITICAL |
| The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue. | |||||
| CVE-2023-5862 | 1 Hamza417 | 1 Inure | 2024-11-21 | N/A | 3.3 LOW |
| Missing Authorization in GitHub repository hamza417/inure prior to Build95. | |||||
| CVE-2023-5737 | 1 Webtoffee | 1 Backup And Migration | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings. | |||||
| CVE-2023-5714 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_db_specs() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve data key specs. | |||||
| CVE-2023-5713 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_option_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve potentially sensitive option values, and deserialize the content of those values. | |||||
| CVE-2023-5712 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_global_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive global value information. | |||||
| CVE-2023-5711 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_php_info() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information provided by PHP info. | |||||
| CVE-2023-5710 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_constants() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information such as database credentials. | |||||
| CVE-2023-5612 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 5.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled. | |||||
| CVE-2023-5611 | 1 Seraphinitesolutions | 1 Seraphinite Accelerator | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Seraphinite Accelerator WordPress plugin before 2.20.32 does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them | |||||
| CVE-2023-5533 | 1 Quantumcloud | 1 Ai Chatbot | 2024-11-21 | N/A | 5.3 MEDIUM |
| The AI ChatBot plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to missing capability checks on the corresponding functions in versions up to, and including, 4.8.9 as well as 4.9.2. This makes it possible for unauthenticated attackers to perform some of those actions that were intended for higher privileged users. | |||||
| CVE-2023-5525 | 1 Limitloginattempts | 1 Limit Login Attempts Reloaded | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is missing authorization on the `toggle_auto_update` AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin. | |||||
| CVE-2023-5506 | 1 Imagemapper Project | 1 Imagemapper | 2024-11-21 | N/A | 5.4 MEDIUM |
| The ImageMapper plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'imgmap_delete_area_ajax' function in versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts and pages. | |||||
| CVE-2023-5454 | 1 Templately | 1 Templately | 2024-11-21 | N/A | 7.5 HIGH |
| The Templately WordPress plugin before 2.2.6 does not properly authorize the `saved-templates/delete` REST API call, allowing unauthenticated users to delete arbitrary posts. | |||||
| CVE-2023-5419 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_test_mail function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to send test emails to an arbitrary email address. | |||||
| CVE-2023-5417 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_update_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the Funnelforms category for a given post ID. | |||||
| CVE-2023-5416 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete categories. | |||||
| CVE-2023-5415 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_add_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to add new categories. | |||||
| CVE-2023-5411 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_save_post function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify certain post values. Note that the extent of modification is limited due to fixed values passed to the wp_update_post function. | |||||
| CVE-2023-5387 | 1 Funnelforms | 1 Funnelforms | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_trigger_dark_mode function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to enable or disable the dark mode plugin setting. | |||||