Total
2747 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-3053 | 1 Azexo | 1 Page Builder With Image Map By Azexo | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Page Builder by AZEXO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'azh_add_post' function in versions up to, and including, 1.27.133. This makes it possible for authenticated attackers to create a post with any post type and post status. | |||||
| CVE-2023-36140 | 1 Phpjabbers | 1 Cleaning Business Software | 2023-11-07 | N/A | 9.8 CRITICAL |
| In PHPJabbers Cleaning Business Software 1.0, there is no encryption on user passwords allowing an attacker to gain access to all user accounts. | |||||
| CVE-2023-30969 | 1 Palantir | 1 Tiles | 2023-11-07 | N/A | 6.5 MEDIUM |
| The Palantir Tiles1 service was found to be vulnerable to an API wide issue where the service was not performing authentication/authorization on all the endpoints. | |||||
| CVE-2023-30950 | 1 Palantir | 1 Foundry Campaigns | 2023-11-07 | N/A | 5.9 MEDIUM |
| The foundry campaigns service was found to be vulnerable to an unauthenticated information disclosure in a rest endpoint | |||||
| CVE-2023-30948 | 1 Palantir | 1 Foundry Comments | 2023-11-07 | N/A | 6.5 MEDIUM |
| A security defect in Foundry's Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it's content. This defect was fixed in Foundry Comments 2.249.0, and a patch was rolled out to affected Foundry environments. No further intervention is required at this time. | |||||
| CVE-2023-2796 | 1 Myeventon | 1 Eventon | 2023-11-07 | N/A | 5.3 MEDIUM |
| The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id. | |||||
| CVE-2023-2716 | 1 Groundhogg | 1 Groundhogg | 2023-11-07 | N/A | 5.4 MEDIUM |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'ajax_upload_file' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload a file to the contact, and then lists all the other uploaded files related to the contact. | |||||
| CVE-2023-2715 | 1 Groundhogg | 1 Groundhogg | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_ticket' function in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers to create a support ticket that sends the website's data to the plugin developer, and it is also possible to create an admin access with an auto login link that is also sent to the plugin developer with the ticket. It only works if the plugin is activated with a valid license. | |||||
| CVE-2023-2714 | 1 Groundhogg | 1 Groundhogg | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Groundhogg plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_license' functions in versions up to, and including, 2.7.9.8. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change the license key and support license key, but it can only be changed to a valid license key. | |||||
| CVE-2023-2562 | 1 Gallery-metabox Project | 1 Gallery-metabox | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Gallery Metabox for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the refresh_metabox function in versions up to, and including, 1.5. This makes it possible for subscriber-level attackers to obtain a list of images attached to a post. | |||||
| CVE-2023-2557 | 1 Pluginus | 1 Wordpress Currency Switcher Professional | 2023-11-07 | N/A | 4.3 MEDIUM |
| The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save function in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit an arbitrary custom drop-down currency switcher. | |||||
| CVE-2023-2547 | 1 Featherplugins | 1 Feather Login Page | 2023-11-07 | N/A | 5.4 MEDIUM |
| The Feather Login Page plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteUser' function in versions starting from 1.0.7 up to, and including, 1.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the temp user generated by the plugin. | |||||
| CVE-2023-2545 | 1 Featherplugins | 1 Feather Login Page | 2023-11-07 | N/A | 8.8 HIGH |
| The Feather Login Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'getListOfUsers' function in versions starting from 1.0.7 up to, and including, 1.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to access the login links, which can be used for privilege escalation. | |||||
| CVE-2023-2494 | 1 Granthweb | 1 Go Pricing | 2023-11-07 | N/A | 8.8 HIGH |
| The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_postdata' function in versions up to, and including, 3.3.19. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin to modify access to the plugin when it should only be the administrator's privilege. | |||||
| CVE-2023-2415 | 1 Vcita | 1 Online Booking \& Scheduling Calendar For Wordpress By Vcita | 2023-11-07 | N/A | 5.4 MEDIUM |
| The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_logout_callback function in versions up to, and including, 4.2.10. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to logout a vctia connected account which would cause a denial of service on the appointment scheduler. | |||||
| CVE-2023-2299 | 1 Vcita | 1 Online Booking \& Scheduling Calendar For Wordpress | 2023-11-07 | N/A | 5.3 MEDIUM |
| The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized medication of data via the /wp-json/vcita-wordpress/v1/actions/auth REST-API endpoint in versions up to, and including, 4.2.10 due to a missing capability check on the processAction function. This makes it possible for unauthenticated attackers modify the plugin's settings. | |||||
| CVE-2023-2189 | 1 Staxwp | 1 Stax | 2023-11-07 | N/A | 4.3 MEDIUM |
| The Elementor Addons, Widgets and Enhancements – Stax plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the toggle_widget function in versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to enable or disable Elementor widgets. | |||||
| CVE-2023-2174 | 1 Badgeos | 1 Badgeos | 2023-11-07 | N/A | 4.3 MEDIUM |
| The BadgeOS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_badgeos_log_entries function in versions up to, and including, 3.7.1.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the plugin's log entries. | |||||
| CVE-2023-28640 | 1 Apiman | 1 Apiman | 2023-11-07 | N/A | 3.1 LOW |
| Apiman is a flexible and open source API Management platform. Due to a missing permissions check, an attacker with an authenticated Apiman Manager account may be able to gain access to API keys they do not have permission for if they correctly guess the URL, which includes Organisation ID, Client ID, and Client Version of the targeted non-permitted resource. While not trivial to exploit, it could be achieved by brute-forcing or guessing common names. Access to the non-permitted API Keys could allow use of other users' resources without their permission (depending on the specifics of configuration, such as whether an API key is the only form of security). Apiman 3.1.0.Final resolved this issue. Users are advised to upgrade. The only known workaround is to restrict account access. | |||||
| CVE-2023-27264 | 1 Mattermost | 1 Mattermost | 2023-11-07 | N/A | 6.5 MEDIUM |
| A missing permissions check in Mattermost Playbooks in Mattermost allows an attacker to modify a playbook via the /plugins/playbooks/api/v0/playbooks/[playbookID] API. | |||||