CWE:
 

Tytuł
Data
Autor
Low
Listeo WordPress Theme <= 1.6.10 - Multiple Authenticated IDOR Vulnerabilities
17.05.2021
m0ze
Med.
HomeSweet - Real Estate WordPress Theme v1.4 - IDOR leading to arbitrary deletion of ads
13.07.2020
Vlad Vector
Med.
CarSpot – Dealership Wordpress Classified Theme v2.2.0 Multiple Vulnerabilities
17.01.2020
m0ze
Med.
Fortify Software Security Center (SSC) 17.10/17.20/18.10 Information Disclosure (2)
24.12.2018
alt3kx


Common Weakness Enumeration (CWE)

CVE
Szczegóły
Opis
2024-10-18
Waiting for details
CVE-2024-10121

Updating...
 

 
A vulnerability was found in wfh45678 Radar up to 1.0.8 and classified as critical. This issue affects some unknown processing of the component Interface Handler. The manipulation with the input /../ leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This appears not to be a path traversal weakness. The vendor was contacted early about this disclosure but did not respond in any way.

 
2024-10-17
Waiting for details
CVE-2024-9215

Updating...
 

 
The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the 'authors-user_id' user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user's account password and gain access.

 
Waiting for details
CVE-2024-9862

Updating...
 

 
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and the user current password check is missing. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.

 
Waiting for details
CVE-2024-9263

Updating...
 

 
The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators, which makes account takeover and privilege escalation possible.

 
2024-10-16
Waiting for details
CVE-2023-7286

Updating...
 

 
The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the edit_users capability to access metadata of other users, this includes contributor-level users and above.

 
2024-10-15
Waiting for details
CVE-2024-9687

Updating...
 

 
The WP 2FA with Telegram plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0. This is due to insufficient validation of the user-controlled key on the 'validate_tg' action. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator.

 
Waiting for details
CVE-2024-49388

Updating...
 

 
Sensitive information manipulation due to improper authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 38690.

 
2024-10-06
Waiting for details
CVE-2024-9554

Updating...
 

 
A vulnerability classified as problematic was found in Sovell Smart Canteen System up to 3.0.7303.30513. Affected by this vulnerability is the function Check_ET_CheckPwdz201 of the file suanfa.py of the component Password Reset Handler. The manipulation leads to authorization bypass. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.

 
2024-10-05
Waiting for details
CVE-2024-47316

Updating...
 

 
Authorization Bypass Through User-Controlled Key vulnerability in Salon Booking System Salon booking system.This issue affects Salon booking system: from n/a through 10.9.

 
2024-10-04
Waiting for details
CVE-2024-47657

Updating...
 

 
This vulnerability exists in the Shilpi Net Back Office due to improper access controls on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter dfclientid through API request URLs which could lead to unauthorized access to sensitive information belonging to other users.

 

 


Copyright 2024, cxsecurity.com

 

Back to Top