| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the preview_module() function in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view unpublished forms. |
| Due to missing authorization checks, SAP Business Warehouse (BEx Analyzer) allows an authenticated attacker to access information over the network which is otherwise restricted. On successful exploitation the attacker can enumerate information causing a limited impact on confidentiality of the application. |
| The RFC enabled function module allows a low privileged user to add URLs to any user's workplace favourites. This vulnerability could be utilized to identify usernames and access information about targeted user's workplaces, and nodes. There is low impact on integrity of the application |
| Missing Authorization vulnerability in Theme4Press Demo Awesome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Demo Awesome: from n/a through 1.0.2. |
| Missing Authorization vulnerability in Kraft Plugins Demo Importer Plus demo-importer-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Demo Importer Plus: from n/a through <= 2.0.8. |
| Missing Authorization vulnerability in Aruba.It Aruba HiSpeed Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aruba HiSpeed Cache: from n/a through 2.0.12. |
| The Elespare – Build Your Blog, News & Magazine Websites with Expert-Designed Template Kits. One Click Import: No Coding Skills Required! plugin for WordPress is vulnerable to unauthorized post creation due to a missing capability check on the elespare_create_post() function hooked via AJAX in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary posts. |
| The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones. |
| Missing Authorization vulnerability in GhostPool Aardvark Plugin aardvark-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aardvark Plugin: from n/a through <= 2.19. |
| Missing Authorization vulnerability in WPBackItUp Backup and Restore WordPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Backup and Restore WordPress: from n/a through 1.50. |
| The Yaad Sarig Payment Gateway For WC plugin for WordPress is vulnerable to unauthorized modification & access of data due to a missing capability check on the yaadpay_view_log_callback() and yaadpay_delete_log_callback() functions in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete logs. |
| A problem with missing authorization on SolaX Cloud platform allows taking over any SolaX solarpanel inverter of which the serial number is known. |
| The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a misconfigured check on the 'rtcl_import_settings' function in all versions up to, and including, 3.1.15.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update limited arbitrary options on the WordPress site. This can be leveraged to update the Subscriber role with Administrator-level capabilities to gain administrative user access to a vulnerable site. The vulnerability is limited in that the option updated must have a value that is an array. |
| The LazyLoad Background Images plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pblzbg_save_settings() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings. |
| The 360 Javascript Viewer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and nonce exposure on several AJAX actions in all versions up to, and including, 1.7.12. This makes it possible for authenticated attackers, with subscriber access or higher, to update plugin settings. |
| Missing Authorization vulnerability in WP SCHEMA PRO Schema Pro.This issue affects Schema Pro: from n/a through 2.7.8. |
| The Admin Bar Remover plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_form() function in all versions up to, and including, 1.0.2.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to enable or disable the admin bar on the front-end of the site. |
| The QQWorld Auto Save Images plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the save_remote_images_get_auto_saved_results() function hooked via a norpriv AJAX in all versions up to, and including, 1.9.8. This makes it possible for unauthenticated attackers to retrieve the contents of arbitrary posts that may not be public. |
| The Sharkdropship for AliExpress Dropshipping and Affiliate plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wads_removeProductFromShop() function in all versions up to, and including, 2.2.4. This makes it possible for unauthenticated attackers to delete arbitrary posts. |
| Incorrect access control in the component content://com.handcent.messaging.provider.MessageProvider/ of Handcent NextSMS v10.9.9.7 allows attackers to access sensitive data. |
