CWE:
 

Topic
Date
Author
Low
Listeo WordPress Theme <= 1.6.10 - Multiple Authenticated IDOR Vulnerabilities
17.05.2021
m0ze
Med.
HomeSweet - Real Estate WordPress Theme v1.4 - IDOR leading to arbitrary deletion of ads
13.07.2020
Vlad Vector
Med.
CarSpot – Dealership Wordpress Classified Theme v2.2.0 Multiple Vulnerabilities
17.01.2020
m0ze
Med.
Fortify Software Security Center (SSC) 17.10/17.20/18.10 Information Disclosure (2)
24.12.2018
alt3kx


CVEMAP Search Results

CVE
Details
Description
2022-08-09
Waiting for details
CVE-2022-2730

Updating...
 

 
Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.

 
2022-08-08
Waiting for details
CVE-2022-2367

Updating...
 

 
The WSM Downloader WordPress plugin through 1.4.0 allows only specific popular websites to download images/files from, this can be bypassed due to the lack of good "link" parameter validation

 
2022-08-01
Waiting for details
CVE-2022-1600

Updating...
 

 
The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations.

 
2022-07-20
Waiting for details
CVE-2022-33944

Updating...
 

 

 
2022-07-17
Medium
CVE-2021-24655

Vendor: Wpusermanager
Software: Wp user manager
 

 
The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.

 
2022-07-08
Low
CVE-2022-30852

Vendor: Withknown
Software: Known
 

 
Known v1.3.1 was discovered to contain an Insecure Direct Object Reference (IDOR).

 
2022-07-06
Medium
CVE-2022-23173

Vendor: Priority-software
Software: Priority
 

 
this vulnerability affect user that even not allowed to access via the web interface. First of all, the attacker needs to access the "Login menu - demo site" then he can see in this menu all the functionality of the application. If the attacker will try to click on one of the links, he will get an answer that he is not authorized because he needs to log in with credentials. after he performed log in to the system there are some functionalities that the specific user is not allowed to perform because he was configured with low privileges however all the attacker need to do in order to achieve his goals is to change the value of the prog step parameter from 0 to 1 or more and then the attacker could access to some of the functionality the web application that he couldn't perform it before the parameter changed.

 
2022-06-28
Waiting for details
CVE-2022-0624

Updating...
 

 
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.

 
2022-06-20
Low
CVE-2022-1614

Vendor: Wp-email project
Software: Wp-email
 

 
The WP-EMail WordPress plugin before 2.69.0 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based anti-spamming restrictions.

 
2022-06-13
Medium
CVE-2022-1762

Vendor: Webence
Software: Iq block country
 

 
The iQ Block Country WordPress plugin through 1.2.13 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers.

 

 


Copyright 2022, cxsecurity.com

 

Back to Top