6.5
CVE-2021-4445 - Premium Addons for Elementor <= 4.5.1 - Authenticated (Subscriber+) Limited Arbitrary Option Update
The Premium Addons for Elementor plugin for WordPress is vulnerable to Arbitrary Option Updates in versions up to, and including, 4.5.1. This is due to missing capability and nonce checks in the pa_dismiss_admin_notice AJAX action. This makes it possible for authenticated subscriber+ attackers to cβ¦
8.8
CVE-2021-4447 - Essential Addons for Elementor <= 4.6.4 - Authenticated (Contributor+) Privilege Escalation
The Essential Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to and including 4.6.4 due to a lack of restrictions on who can add a registration form and a custom registration role to an Elementor created page. This makes it possible for attackers witβ¦
4.9
CVE-2022-4973 - WordPress Core < 6.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via use of the_meβ¦
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into poβ¦
4.3
CVE-2023-7290 - Paytium: Mollie payment forms & donations <= 4.3.7 - Missing Authorization in 'check_for_verified_pβ¦
The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the check_for_verified_profiles function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-lβ¦
6.3
CVE-2020-36833 - Indeed Membership Pro 7.3 - 8.6 - Missing Authorization Checks
The Indeed Membership Pro plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on various AJAX actions in versions 7.3 - 8.6. This makes it possible for authenticated attacker, with minimal permission, such as a subscriber, to perform a variety of actions suchβ¦
7.2
CVE-2016-15041 - MainWP Dashboard β The Private WordPress Manager for Multiple Website Maintenance Plugin <= 3.1.2 -β¦
The MainWP Dashboard β The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βmwp_setup_purchase_usernameβ parameter in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping.β¦
5.4
CVE-2023-7289 - Paytium: Mollie payment forms & donations <= 4.3.7 - Missing Authorization in 'paytium_sw_save_api_β¦
The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized API key update due to a missing capability check on the paytium_sw_save_api_keys function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-leveβ¦
7.5
CVE-2022-4972 - Download Monitor <= 4.7.51 - Missing Authorization to Unauthenticated Data Export
The Download Monitor plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST-API routes related to reporting in versions up to, and including, 4.7.51. This makes it possible for unauthenticated attackers to view user data and other sensitive infoβ¦
9.8
CVE-2018-25105 - File Manager <= 3.0 - Unauthenticated Arbitrary File Upload/Download
The File Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in the /inc/root.php file in versions up to, and including, 3.0. This makes it possible for unauthenticated attackers to download arbitrary files from the server and upload arbitrary filesβ¦
9.8
CVE-2020-36832 - Indeed Membership Pro 7.3 - 8.6 - Authentication Bypass
The Ultimate Membership Pro plugin for WordPress is vulnerable to Authentication Bypass in versions between, and including, 7.3 to 8.6. This makes it possible for unauthenticated attackers to login as any user, including the site administrator with a default user ID of 1, via the username or user Iβ¦