Total
4885 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6696 | 1 Sygnoos | 1 Popup Builder | 2024-11-21 | N/A | 8.1 HIGH |
| The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 4.3.1. While some functions contain a nonce check, the nonce can be obtained from the profile page of a logged-in user. This allows subscribers to perform several actions including deleting subscribers and perform blind Server-Side Request Forgery. | |||||
| CVE-2023-6598 | 1 Softaculous | 1 Speedycache | 2024-11-21 | N/A | 4.3 MEDIUM |
| The SpeedyCache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the speedycache_save_varniship, speedycache_img_update_settings, speedycache_preloading_add_settings, and speedycache_preloading_delete_resource functions in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update plugin options. | |||||
| CVE-2023-6554 | 1 Tecnick | 1 Tcexam | 2024-11-21 | N/A | 6.5 MEDIUM |
| When access to the "admin" folder is not protected by some external authorization mechanisms e.g. Apache Basic Auth, it is possible for any user to download protected information like exam answers. | |||||
| CVE-2023-6496 | 1 Freeamigos | 1 Manage Notification E-mails | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Manage Notification E-mails plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.8.5 via the card_famne_export_settings function. This makes it possible for unauthenticated attackers to obtain plugin settings. | |||||
| CVE-2023-6491 | 1 Wpchill | 1 Strong Testimonials | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. This makes it possible for authenticated attackers, with contributor access and above, to modify favorite views. | |||||
| CVE-2023-6394 | 2 Quarkus, Redhat | 2 Quarkus, Build Of Quarkus | 2024-11-21 | N/A | 7.4 HIGH |
| A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions. | |||||
| CVE-2023-6038 | 1 H2o | 1 H2o | 2024-11-21 | N/A | 7.5 HIGH |
| A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files on the server with the permissions of the user running the h2o-3 instance. This issue affects the default installation and does not require user interaction. The vulnerability can be exploited by making specific GET or POST requests to the ImportFiles and ParseSetup endpoints, respectively. This issue was identified in version 3.40.0.4 of h2o-3. | |||||
| CVE-2023-6020 | 1 Ray Project | 1 Ray | 2024-11-21 | N/A | 7.5 HIGH |
| LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. | |||||
| CVE-2023-6007 | 1 Userproplugin | 1 Userpro | 2024-11-21 | N/A | 7.3 HIGH |
| The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options. | |||||
| CVE-2023-6001 | 1 Yugabyte | 1 Yugabytedb | 2024-11-21 | N/A | 5.3 MEDIUM |
| Prometheus metrics are available without authentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment. | |||||
| CVE-2023-5949 | 1 Wpmudev | 1 Smartcrawl | 2024-11-21 | N/A | 7.5 HIGH |
| The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthorised users from accessing password-protected posts' content. | |||||
| CVE-2023-5905 | 1 Demomentsomtres | 1 Export Posts With Images | 2024-11-21 | N/A | 8.1 HIGH |
| The DeMomentSomTres WordPress Export Posts With Images WordPress plugin through 20220825 does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog, including restricted and unpublished posts, as well as passwords of protected posts. | |||||
| CVE-2023-5862 | 1 Hamza417 | 1 Inure | 2024-11-21 | N/A | 3.3 LOW |
| Missing Authorization in GitHub repository hamza417/inure prior to Build95. | |||||
| CVE-2023-5737 | 1 Webtoffee | 1 Backup And Migration | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings. | |||||
| CVE-2023-5714 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_db_specs() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve data key specs. | |||||
| CVE-2023-5713 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_option_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve potentially sensitive option values, and deserialize the content of those values. | |||||
| CVE-2023-5712 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_global_value() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive global value information. | |||||
| CVE-2023-5711 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_php_info() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information provided by PHP info. | |||||
| CVE-2023-5710 | 1 Bowo | 1 System Dashboard | 2024-11-21 | N/A | 4.3 MEDIUM |
| The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sd_constants() function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive information such as database credentials. | |||||
| CVE-2023-5612 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 5.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled. | |||||