CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37220 – WordPress Optinly plugin <= 1.0.18 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-37220
21 Jun 2024 — Missing Authorization vulnerability in OptinlyHQ Optinly allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Optinly: from n/a through 1.0.18. The Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.0.18. This makes it possible for unauthenticated attackers to perform an unauthorized action. • https://patchstack.com/database/vulnerability/optinly/wordpress-optinly-plugin-1-0-18-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41134 – WordPress Optinly Plugin <= 1.0.15 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-41134
12 Oct 2022 — Cross-Site Request Forgery (CSRF) in OptinlyHQ Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms plugin <= 1.0.15 versions. The Optinly plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.15. This is due to missing or incorrect nonce validation on several of its functions. This makes it possible for unauthenticated attackers to modify plugin settings, via forged request granted they can trick a site administrator into performing an actio... • https://patchstack.com/database/vulnerability/optinly/wordpress-optinly-plugin-1-0-11-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41647 – Optinly <= 1.0.18 - Missing Authorization to Plugin Settings Change
https://notcve.org/view.php?id=CVE-2022-41647
12 Oct 2022 — The Optinly plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several AJAX actions in versions up to, and including, 1.0.18. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change certain plugin settings. • CWE-862: Missing Authorization •