Total
4876 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-2716 | 1 Groundhogg | 1 Groundhogg | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload a file to the contact, and then lists all the other uploaded files related to the contact. | |||||
| CVE-2023-2715 | 1 Groundhogg | 1 Groundhogg | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers to create a support ticket that sends the website's data to the plugin developer, and it is also possible to create an admin access with an auto login link that is also sent to the plugin developer with the ticket. It only works if the plugin is activated with a valid license. | |||||
| CVE-2023-2714 | 1 Groundhogg | 1 Groundhogg | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_license' functions in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the license key and support license key, but it can only be changed to a valid license key. | |||||
| CVE-2023-2590 | 1 Answer | 1 Answer | 2024-11-21 | N/A | 3.5 LOW |
| Missing Authorization in GitHub repository answerdev/answer prior to 1.0.9. | |||||
| CVE-2023-2562 | 1 Gallery-metabox Project | 1 Gallery-metabox | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Gallery Metabox for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the refresh_metabox function in versions up to, and including, 1.5. This makes it possible for subscriber-level attackers to obtain a list of images attached to a post. | |||||
| CVE-2023-2557 | 1 Pluginus | 1 Wordpress Currency Switcher Professional | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save function in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit an arbitrary custom drop-down currency switcher. | |||||
| CVE-2023-2547 | 1 Featherplugins | 1 Feather Login Page | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Feather Login Page plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteUser' function in versions starting from 1.0.7 up to, and including, 1.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the temp user generated by the plugin. | |||||
| CVE-2023-2545 | 1 Featherplugins | 1 Feather Login Page | 2024-11-21 | N/A | 8.1 HIGH |
| The Feather Login Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'getListOfUsers' function in versions starting from 1.0.7 up to, and including, 1.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to access the login links, which can be used for privilege escalation. | |||||
| CVE-2023-2494 | 1 Granthweb | 1 Go Pricing | 2024-11-21 | N/A | 4.6 MEDIUM |
| The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_postdata' function in versions up to, and including, 3.3.19. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin to modify access to the plugin when it should only be the administrator's privilege. | |||||
| CVE-2023-2480 | 1 M-files | 1 M-files | 2024-11-21 | N/A | 7.5 HIGH |
| Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications | |||||
| CVE-2023-2448 | 1 Userproplugin | 1 Userpro | 2024-11-21 | N/A | 6.5 MEDIUM |
| The UserPro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'userpro_shortcode_template' function in versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to arbitrary shortcode execution. An attacker can leverage CVE-2023-2446 to get sensitive information via shortcode. | |||||
| CVE-2023-2434 | 1 Kylephillips | 1 Nested Pages | 2024-11-21 | N/A | 3.8 LOW |
| The Nested Pages plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'reset' function in versions up to, and including, 3.2.3. This makes it possible for authenticated attackers, with editor-level permissions and above, to reset plugin settings. | |||||
| CVE-2023-2268 | 1 Plane | 1 Plane | 2024-11-21 | N/A | 7.1 HIGH |
| Plane version 0.7.1 allows an unauthenticated attacker to view all stored server files of all users. | |||||
| CVE-2023-2233 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 3.1 LOW |
| An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4 before 16.4.1. It allows a project reporter to leak the owner's Sentry instance projects. | |||||
| CVE-2023-2193 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 6.5 MEDIUM |
| Mattermost fails to invalidate existing authorization codes when deauthorizing an OAuth2 app, allowing an attacker possessing an authorization code to generate an access token. | |||||
| CVE-2023-2189 | 1 Staxwp | 1 Stax | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the toggle_widget function in versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to enable or disable Elementor widgets. | |||||
| CVE-2023-2174 | 1 Badgeos | 1 Badgeos | 2024-11-21 | N/A | 4.3 MEDIUM |
| The BadgeOS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_badgeos_log_entries function in versions up to, and including, 3.7.1.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the plugin's log entries. | |||||
| CVE-2023-29174 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Missing Authorization vulnerability in NervyThemes SKU Label Changer For WooCommerce.This issue affects SKU Label Changer For WooCommerce: from n/a through 3.0. | |||||
| CVE-2023-28775 | 1 Yoast | 1 Yoast Seo | 2024-11-21 | N/A | 5.3 MEDIUM |
| Missing Authorization vulnerability in Yoast Yoast SEO Premium.This issue affects Yoast SEO Premium: from n/a through 20.4. | |||||
| CVE-2023-28673 | 1 Jenkins | 1 Octoperf Load Testing | 2024-11-21 | N/A | 4.3 MEDIUM |
| A missing permission check in Jenkins OctoPerf Load Testing Plugin Plugin 4.5.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. | |||||