The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to add arbitrary notes to any order and trigger unsolicited notification and moderation emails to listing owners without administrative authorization.
The EmbedPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'admin_post_remove' and 'remove_private_data' functions in versions up to, and including, 3.8.2. This makes it possible for authenticated attackers with subscriber privileges or above, to delete plugin settings.
Missing Authorization vulnerability in ValvePress Rankie valvepress-rankie allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rankie: from n/a through < 1.8.2.
Missing Authorization vulnerability in Jeroen Peters Name Directory name-directory.This issue affects Name Directory: from n/a through <= 1.30.0.
Missing Authorization vulnerability in WC Product Table WooCommerce Product Table Lite wc-product-table-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Product Table Lite: from n/a through <= 3.9.5.
The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin’s support‐form handler to send arbitrary emails to the site’s support address.
Missing Authorization vulnerability in ValvePress Pinterest Automatic Pin wp-pinterest-automatic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pinterest Automatic Pin: from n/a through <= 4.19.0.
Missing Authorization vulnerability in vowelweb Sirat sirat allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sirat: from n/a through <= 1.5.1.
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.8.4. This is due to the plugin not properly verifying that a user is authorized to perform an action via the pm_set_group_order, pm_set_group_items, and pm_set_field_order AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify site-wide ProfileGrid group settings including group menu order, group list order, group icon display, and field ordering.
Missing Authorization vulnerability in hashthemes Smart Blocks smart-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Blocks: from n/a through <= 2.4.
Missing Authorization vulnerability in WPXPO WowStore product-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WowStore: from n/a through <= 4.2.4.
Missing Authorization vulnerability in averta Master Slider master-slider.This issue affects Master Slider: from n/a through <= 3.11.0.
SAP MDG (Review Match Groups Application) does not perform the necessary authorization checks for authenticated users. This could allow a low-privileged user to perform actions that would otherwise be restricted, resulting in escalation of privileges. This has a low impact on integrity, while confidentiality and availability are not impacted.
Missing Authorization vulnerability in Themovation Bellevue bellevuex.This issue affects Bellevue: from n/a through <= 4.2.2.
Missing Authorization vulnerability in flippercode Advanced Google Maps wp-google-map-gold allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Google Maps: from n/a through <= 5.8.4.
Missing Authorization vulnerability in QuanticaLabs Car Park Booking System for WordPress car-park-booking-system-for-wordpress.This issue affects Car Park Booking System for WordPress: from n/a through <= 2.6.
A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key.
Missing Authorization vulnerability in Malcure Web Security Malcure Malware Scanner wp-malware-removal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Malcure Malware Scanner: from n/a through <= 16.8.
Missing Authorization vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component).This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.4-00.
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions.
The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins.
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to modify quizzes they do not own, overwrite quiz results pages, and reroute quiz-result notification emails to attacker-controlled addresses. An attacker first calls the /quiz/structure endpoint with an arbitrary victim quiz ID to obtain a valid nonce bound to that quiz ID and their own user ID, then presents that nonce to the /quizzes/{id}/emails save endpoint, which accepts it without verifying quiz ownership.
Missing Authorization vulnerability in ERA404 StaffList stafflist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects StaffList: from n/a through <= 3.2.7.
Missing Authorization vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RepairBuddy: from n/a through <= 3.8213.
Missing Authorization vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MasterStudy LMS: from n/a through <= 3.5.28.
Missing Authorization vulnerability in Bookingor Bookingor bookingor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bookingor: from n/a through <= 2.0.1.
Missing Authorization vulnerability in Anzar Ahmed Display product variations dropdown on shop page display-product-variations-dropdown-on-shop-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Display product variations dropdown on shop page: from n/a through <= 1.1.3.
Missing Authorization vulnerability in aleswebs AdMail – Multilingual Back in-Stock Notifier for WooCommerce admail allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AdMail – Multilingual Back in-Stock Notifier for WooCommerce: from n/a through <= 1.7.0.
Missing Authorization vulnerability in Vagonic Woocommerce Products Reorder Drag Drop Multiple Sort – Sortable, Rearrange Products Vagonic vagonic-sortable.This issue affects Woocommerce Products Reorder Drag Drop Multiple Sort – Sortable, Rearrange Products Vagonic: from n/a through <= 1.9.
Missing Authorization vulnerability in Joao Romao Social Share Buttons & Analytics Plugin – GetSocial.io wp-share-buttons-analytics-by-getsocial allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Social Share Buttons & Analytics Plugin – GetSocial.io: from n/a through <= 4.5.
Missing Authorization vulnerability in Bowo Variable Inspector variable-inspector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Variable Inspector: from n/a through <= 2.6.3.
Missing Authorization vulnerability in Rashid Slider Path for Elementor slider-path allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slider Path for Elementor: from n/a through <= 3.0.0.
Missing Authorization vulnerability in termel Bulk Fields Editor bulk-user-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Fields Editor: from n/a through <= 1.8.0.
Missing Authorization vulnerability in redqteam Wishlist wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wishlist: from n/a through <= 2.1.0.
Missing Authorization vulnerability in Mayeenul Islam NanoSupport nanosupport allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NanoSupport: from n/a through <= 0.6.0.
Missing Authorization vulnerability in ahmadshyk Gift Cards for WooCommerce woo-giftcards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gift Cards for WooCommerce: from n/a through <= 1.5.8.
Missing Authorization vulnerability in CartBoss CartBoss cartboss allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CartBoss: from n/a through <= 4.1.2.
Missing Authorization vulnerability in josselynj pCloud Backup pcloud-backup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects pCloud Backup: from n/a through <= 1.0.1.
Missing Authorization vulnerability in Zoho Flow Zoho Flow zoho-flow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zoho Flow: from n/a through <= 2.13.3.
Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through < 2.2.7.
Missing Authorization vulnerability in Croover.inc Rich Table of Contents rich-table-of-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rich Table of Contents: from n/a through <= 1.4.0.
Missing Authorization vulnerability in Repuso Social proof testimonials and reviews by Repuso social-testimonials-and-reviews-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Social proof testimonials and reviews by Repuso: from n/a through <= 5.21.
Missing Authorization vulnerability in Smackcoders Inc., Google SEO Pressor Snippet google-seo-author-snippets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google SEO Pressor Snippet: from n/a through <= 2.0.
Missing Authorization vulnerability in Gagan Deep Singh PostmarkApp Email Integrator postmarkapp-email-integrator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostmarkApp Email Integrator: from n/a through <= 2.4.
Missing Authorization vulnerability in Akhtarujjaman Shuvo Post Grid Master ajax-filter-posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Grid Master: from n/a through <= 3.4.17.
Missing Authorization vulnerability in WP Messiah WP Mobile Bottom Menu mobile-bottom-menu-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Mobile Bottom Menu: from n/a through <= 1.4.0.
Missing Authorization vulnerability in Team AtomChat AtomChat atomchat allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AtomChat: from n/a through <= 1.1.7.
Missing Authorization vulnerability in MantraBrain Ultimate Watermark ultimate-watermark allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Watermark: from n/a through <= 1.1.
Missing Authorization vulnerability in Shaharia Azam Auto Post After Image Upload auto-post-after-image-upload allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Auto Post After Image Upload: from n/a through <= 1.6.
Missing Authorization vulnerability in Magnigenie RestroPress restropress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through <= 3.2.8.