Total
4067 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36730 | 1 Niteothemes | 1 Cmp | 2024-11-21 | N/A | 8.3 HIGH |
| The CMP for WordPress is vulnerable to authorization bypass due to a missing capability check on the cmp_get_post_detail(), niteo_export_csv(), and cmp_disable_comingsoon_ajax() functions in versions up to, and including, 3.8.1. This makes it possible for unauthenticated attackers to read posts, export subscriber lists, and/or deactivate the plugin. | |||||
| CVE-2020-36729 | 1 2joomla | 1 2j Slideshow | 2024-11-21 | N/A | 5.4 MEDIUM |
| The 2J-SlideShow Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'twoj_slideshow_setup' function called via the wp_ajax_twoj_slideshow_setup AJAX action in versions up to, and including, 1.3.31. This makes it possible for authenticated attackers (Subscriber, or above level access) to allow attackers to perform otherwise restricted actions and subsequently deactivate any plugins on the blog. | |||||
| CVE-2020-36725 | 1 Templateinvaders | 1 Ti Woocommerce Wishlist | 2024-11-21 | N/A | 8.8 HIGH |
| The TI WooCommerce Wishlist and TI WooCommerce Wishlist Pro plugins for WordPress are vulnerable to an Options Change vulnerability in versions up to, and including, 1.21.11 and 1.21.4 via the 'ti-woocommerce-wishlist/includes/export.class.php' file. This makes it possible for authenticated attackers to gain otherwise restricted access to the vulnerable blog and update any settings. | |||||
| CVE-2020-36721 | 3 Colorlib, Cpothemes, Machothemes | 15 Activello, Bonkers, Illdy and 12 more | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welcome.php' file missing capability and security checks/nonces. This makes it possible for unauthenticated attackers to activate and deactivate arbitrary plugins installed on a vulnerable site. | |||||
| CVE-2020-36720 | 1 Kaliforms | 1 Kali Forms | 2024-11-21 | N/A | 7.1 HIGH |
| The Kali Forms plugin for WordPress is vulnerable to Authenticated Options Change in versions up to, and including, 2.1.1. This is due to the update_option lacking proper authentication checks. This makes it possible for any authenticated attacker to change (or delete) the plugin's settings. | |||||
| CVE-2020-36719 | 1 Cridio | 1 Listingpro | 2024-11-21 | N/A | 9.8 CRITICAL |
| The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lp_cc_addons_actions function. This makes it possible for unauthenticated attackers to arbitrarily install, activate and deactivate any plugin. | |||||
| CVE-2020-36716 | 1 Wpwhitesecurity | 1 Wp Activity Log | 2024-11-21 | N/A | 7.3 HIGH |
| The WP Activity Log plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the setup_page function in versions up to, and including, 4.0.1. This makes it possible for unauthenticated attackers to run the setup wizard (if it has not been run previously) and access plugin configuration options. | |||||
| CVE-2020-36715 | 1 Xootix | 1 Login\/signup Popup | 2024-11-21 | N/A | 7.4 HIGH |
| The Login/Signup Popup plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions in versions up to, and including, 1.4. This makes it possible for authenticated attackers to inject arbitrary web scripts into the plugin settings that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2020-36712 | 1 Kaliforms | 1 Kali Forms | 2024-11-21 | N/A | 8.6 HIGH |
| The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 2.1.1. This is due to the kaliforms_form_delete_uploaded_file function lacking any privilege or user protections. This makes it possible for unauthenticated attackers to delete any site post or page with the id parameter. | |||||
| CVE-2020-36702 | 1 Brainstormforce | 1 Spectra | 2024-11-21 | N/A | 5.5 MEDIUM |
| The Ultimate Addons for Gutenberg plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 1.14.7. This is due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber+ roles to update the plugin's settings. | |||||
| CVE-2020-36699 | 1 Quick Page\/post Redirect Project | 1 Quick Page\/post Redirect | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Quick Page/Post Redirect Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the qppr_save_quick_redirect_ajax and qppr_delete_quick_redirect functions in versions up to, and including, 5.1.9. This makes it possible for low-privileged attackers to interact with the plugin settings and to create a redirect link that would forward all traffic to an external malicious website. | |||||
| CVE-2020-36698 | 1 Cleantalk | 1 Security \& Malware Scan | 2024-11-21 | N/A | 8.8 HIGH |
| The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized user interaction in versions up to, and including, 2.50. This is due to missing capability checks on several AJAX actions and nonce disclosure in the source page of the administrative dashboard. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to call functions and delete and/or upload files. | |||||
| CVE-2020-36697 | 1 Appsaloon | 1 Wp Gdpr | 2024-11-21 | N/A | 7.3 HIGH |
| The WP GDPR plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 2.1.1. This makes it possible for unauthenticated attackers to delete any comment and modify the plugin’s settings. | |||||
| CVE-2020-36696 | 1 Tychesoftwares | 1 Product Input Fields For Woocommerce | 2024-11-21 | N/A | 7.5 HIGH |
| The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the handle_downloads() function in versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to download files from the vulnerable service. | |||||
| CVE-2020-36670 | 1 Basixonline | 1 Nex-forms | 2024-11-21 | N/A | 6.3 MEDIUM |
| The NEX-Forms. plugin for WordPress is vulnerable to unauthorized disclosure and modification of data in versions up to, and including 7.7.1 due to missing capability checks on several AJAX actions. This makes it possible for authenticated attackers with subscriber level permissions and above to invoke these functions which can be used to perform actions like modify form submission records, deleting files, sending test emails, modifying plugin settings, and more. | |||||
| CVE-2020-36667 | 1 Jetbackup | 1 Jetbackup | 2024-11-21 | N/A | 5.4 MEDIUM |
| The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to unauthorized back-up location changes in versions up to, and including 1.4.1 due to a lack of proper capability checking on the backup_guard_cloud_dropbox, backup_guard_cloud_gdrive, and backup_guard_cloud_oneDrive functions. This makes it possible for authenticated attackers, with minimal permissions, such as a subscriber to change to location of back-ups and potentially steal sensitive information from them. | |||||
| CVE-2020-36625 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is bebd256fc3063111fb4503ca25e005ebf6e73780. It is recommended to apply a patch to fix this issue. The identifier VDB-216521 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-36623 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| A vulnerability was found in Pengu. It has been declared as problematic. Affected by this vulnerability is the function runApp of the file src/index.js. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The name of the patch is aea66f12b8cdfc3c8c50ad6a9c89d8307e9d0a91. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216475. | |||||
| CVE-2020-36622 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| A vulnerability was found in sah-comp bienlein and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The name of the patch is d7836a4f2b241e4745ede194f0f6fb47199cab6b. It is recommended to apply a patch to fix this issue. The identifier VDB-216473 was assigned to this vulnerability. | |||||
| CVE-2020-35745 | 1 Phpgurukul | 1 Hospital Management System | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| PHPGURUKUL Hospital Management System V 4.0 does not properly restrict access to admin/dashboard.php, which allows attackers to access all data of users, doctors, patients, change admin password, get appointment history and access all session logs. | |||||