CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3707 – ActivityPub for WordPress < 1.0.0 - Subscriber+ Arbitrary Post Content Disclosure
https://notcve.org/view.php?id=CVE-2023-3707
25 Sep 2023 — The ActivityPub WordPress plugin before 1.0.0 does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the content of arbitrary post (such as draft and private) via an IDOR vector. Password protected posts are not affected by this issue. El complemento ActivityPub de WordPress anterior a 1.0.0 no garantiza que los contenidos de las publicaciones que se mostrarán sean públicos y pertenezcan al complemento, lo que p... • https://wpscan.com/vulnerability/541bbe4c-3295-4073-901d-763556269f48 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37871 – WordPress WooCommerce GoCardless Gateway Plugin <= 2.5.6 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-37871
10 Jul 2023 — Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en WooCommerce GoCardless. Este problema afecta a GoCardless: desde n/a hasta 2.5.6. The WooCommerce GoCardless Gateway plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.5.6. This is due to missing validation on a user contro... • https://patchstack.com/database/vulnerability/woocommerce-gateway-gocardless/wordpress-woocommerce-gocardless-gateway-plugin-2-5-6-unauthenticated-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35915 – WordPress WooCommerce Payments Plugin <= 5.9.0 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-35915
20 Jun 2023 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0. La neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo. Este problema afecta... • https://patchstack.com/database/vulnerability/woocommerce-payments/wordpress-woocommerce-payments-plugin-5-9-0-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35876 – WordPress WooCommerce Square Plugin <= 3.8.1 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-35876
19 Jun 2023 — Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en WooCommerce WooCommerce Square. Este problema afecta a WooCommerce Square: desde n/a hasta 3.8.1. The WooCommerce Square plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versio... • https://patchstack.com/database/vulnerability/woocommerce-square/wordpress-woocommerce-square-plugin-3-8-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35914 – WordPress WooCommerce Subscriptions Plugin <= 5.1.2 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-35914
19 Jun 2023 — Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Woo Subscriptions.This issue affects Woo Subscriptions: from n/a through 5.1.2. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en WooCommerce Woo Subscriptions. Este problema afecta a Woo Subscriptions: desde n/a hasta 5.1.2. The WooCommerce Subscriptions plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on an unknown unction in versions... • https://patchstack.com/database/vulnerability/woocommerce-subscriptions/wordpress-woocommerce-subscriptions-plugin-5-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35916 – WordPress WooCommerce Payments Plugin <= 5.9.0 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-35916
19 Jun 2023 — Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo. Este problema afecta a WooPayments – Fully Integrated Solution Built and Supported by Woo... • https://patchstack.com/database/vulnerability/woocommerce-payments/wordpress-woocommerce-payments-plugin-5-9-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-125104 – VaultPress Plugin MailPoet Plugin class.vaultpress-hotfixes.php protect_aioseo_ajax unrestricted upload
https://notcve.org/view.php?id=CVE-2014-125104
01 Jun 2023 — A vulnerability was found in VaultPress Plugin up to 1.6.0 on WordPress. It has been declared as critical. Affected by this vulnerability is the function protect_aioseo_ajax of the file class.vaultpress-hotfixes.php of the component MailPoet Plugin. The manipulation leads to unrestricted upload. The attack can be launched remotely. • https://github.com/wp-plugins/vaultpress/commit/e3b92b14edca6291c5f998d54c90cbe98a1fb0e3 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 27%CPEs: 1EXPL: 1CVE-2023-2996 – Jetpack < 12.1.1 - Author+ Arbitrary File Manipulation via API
https://notcve.org/view.php?id=CVE-2023-2996
30 May 2023 — The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization. The Jetpack plugin for WordPress is vulnerable to arbitrary file manipulation in versions up to, and including, 12.1. This is due to insufficient validation on data being supplied to the media API endpoint. This makes it possible for authenticated att... • https://jetpack.com/blog/jetpack-12-1-1-critical-security-update • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32747 – WordPress WooCommerce Bookings Plugin <= 1.15.78 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-32747
15 May 2023 — Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 1.15.78. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en WooCommerce WooCommerce Bookings. Este problema afecta a WooCommerce Bookings: desde n/a hasta 1.15.78. The WooCommerce Bookings plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 1.15.78. This is due to... • https://patchstack.com/database/vulnerability/woocommerce-bookings/wordpress-woocommerce-bookings-plugin-1-15-78-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2022-3342 – Jetpack CRM <= 5.3.1 - Cross-Site Request Forgery and PHAR Deserialization
https://notcve.org/view.php?id=CVE-2022-3342
18 Apr 2023 — The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserialization via the ‘zbscrmcsvimpf’ parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function in versions up to, and including, 5.3.1. While the function performs a nonce check, steps 2 and 3 of the check do not take any action upon a failed check. These steps then perform a 'file_exists' check on the value of 'zbscrmcsvimpf'. If a phar:// archive is supplied, its contents will be deserialized and an object injected in the execution stream. ... • https://plugins.trac.wordpress.org/browser/zero-bs-crm/trunk/includes/ZeroBSCRM.CSVImporter.php?rev=2790863 • CWE-502: Deserialization of Untrusted Data •