Dernières vulnérabilités du Samedi 1 Juillet 2023

Dernières vulnérabilités du Samedi 1 Juillet 2023
{{titre}}

Dernière mise à jour efféctuée le 01/07/2023 à 23:58:02

(1) Vulnérabilité(s) CRITICAL [9.0, 10.0]

Vulnérabilité ID : CVE-2023-22814

Première publication le : 01-07-2023 00:15:09
Dernière modification le : 01-07-2023 00:15:09

Description :
An authentication bypass issue via spoofing was discovered in the token-based authentication mechanism that could allow an attacker to carry out an impersonation attack. This issue affects My Cloud OS 5 devices: before 5.26.202.

CVE ID : CVE-2023-22814
Source : psirt@wdc.com
Score CVSS : 10.0

Références :
https://www.westerndigital.com/support/product-security/wdc-23006-my-cloud-firmware-version-5-26-202 | source : psirt@wdc.com

Vulnérabilité : CWE-290


(5) Vulnérabilité(s) HIGH [7.0, 8.9]

Vulnérabilité ID : CVE-2021-4385

Première publication le : 01-07-2023 04:15:10
Dernière modification le : 01-07-2023 04:15:10

Description :
The WP Private Content Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1. This is due to missing or incorrect nonce validation on the save_groups() function. This makes it possible for unauthenticated attackers to add new group members via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4385
Source : security@wordfence.com
Score CVSS : 8.8

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2473452%40wp-private-content-plus&new=2473452%40wp-private-content-plus&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/238f6d81-78ba-426c-866a-31f9279e4f99?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4386

Première publication le : 01-07-2023 04:15:10
Dernière modification le : 01-07-2023 04:15:10

Description :
The WP Security Question plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4386
Source : security@wordfence.com
Score CVSS : 8.8

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/browser/wp-security-questions/trunk/modules/settings/model.settings.php#L34 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/23f9d758-4b5e-44e5-9f58-a37b01c4ffdb?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4394

Première publication le : 01-07-2023 05:15:16
Dernière modification le : 01-07-2023 05:15:16

Description :
The Locations plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.1. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to update custom field meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4394
Source : security@wordfence.com
Score CVSS : 8.8

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2548546%40locations&new=2548546%40locations&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/3df9f237-a861-43fc-8623-d42f84d8d5d1?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4398

Première publication le : 01-07-2023 06:15:09
Dernière modification le : 01-07-2023 06:15:09

Description :
The Amministrazione Trasparente plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.1. This is due to missing or incorrect nonce validation on the at_save_aturl_meta() function. This makes it possible for unauthenticated attackers to update meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4398
Source : security@wordfence.com
Score CVSS : 8.8

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2548741%40amministrazione-trasparente&new=2548741%40amministrazione-trasparente&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/6358fc29-5b09-481a-9040-a7890b61f419?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4401

Première publication le : 01-07-2023 06:15:10
Dernière modification le : 01-07-2023 06:15:10

Description :
The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.0. This is due to missing or incorrect nonce validation on the update_posts_stylekit() function. This makes it possible for unauthenticated attackers to update style kits for posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4401
Source : security@wordfence.com
Score CVSS : 8.8

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset/2473676/analogwp-templates/trunk/inc/class-quick-edit.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/7cb08fc1-fb8b-4478-8569-eb9b28aff50b?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


(36) Vulnérabilité(s) MEDIUM [4.0, 6.9]

Vulnérabilité ID : CVE-2023-26136

Première publication le : 01-07-2023 05:15:16
Dernière modification le : 01-07-2023 05:15:16

Description :
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

CVE ID : CVE-2023-26136
Source : report@snyk.io
Score CVSS : 6.5

Références :
https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e | source : report@snyk.io
https://github.com/salesforce/tough-cookie/issues/282 | source : report@snyk.io
https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3 | source : report@snyk.io
https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873 | source : report@snyk.io


Vulnérabilité ID : CVE-2021-31982

Première publication le : 01-07-2023 00:15:09
Dernière modification le : 01-07-2023 00:15:09

Description :
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

CVE ID : CVE-2021-31982
Source : secure@microsoft.com
Score CVSS : 6.3

Références :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31982 | source : secure@microsoft.com


Vulnérabilité ID : CVE-2021-34506

Première publication le : 01-07-2023 00:15:09
Dernière modification le : 01-07-2023 00:15:09

Description :
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

CVE ID : CVE-2021-34506
Source : secure@microsoft.com
Score CVSS : 6.1

Références :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34506 | source : secure@microsoft.com


Vulnérabilité ID : CVE-2021-34475

Première publication le : 01-07-2023 00:15:09
Dernière modification le : 01-07-2023 00:15:09

Description :
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE ID : CVE-2021-34475
Source : secure@microsoft.com
Score CVSS : 5.4

Références :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34475 | source : secure@microsoft.com


Vulnérabilité ID : CVE-2020-36735

Première publication le : 01-07-2023 03:15:15
Dernière modification le : 01-07-2023 03:15:15

Description :
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.3. This is due to missing or incorrect nonce validation on the handle_leave_calendar_filter, add_enable_disable_option_save, leave_policies, process_bulk_action, and process_crm_contact functions. This makes it possible for unauthenticated attackers to modify the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36735
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2368462%40erp&new=2368462%40erp&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/01b90498-0ddb-4eb3-b76d-de30ed03d7d0?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36736

Première publication le : 01-07-2023 04:15:09
Dernière modification le : 01-07-2023 04:15:09

Description :
The WooCommerce Checkout & Funnel Builder by CartFlows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.15. This is due to missing or incorrect nonce validation on the export_json, import_json, and status_logs_file functions. This makes it possible for unauthenticated attackers to import/export settings and trigger logs showing via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36736
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset/2368446/cartflows/trunk/classes/class-cartflows-importer.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/0d98c849-4178-4cee-846b-2c136bc56daf?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36737

Première publication le : 01-07-2023 04:15:10
Dernière modification le : 01-07-2023 04:15:10

Description :
The Import / Export Customizer Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the astra_admin_errors() function. This makes it possible for unauthenticated attackers to display an import status via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36737
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2368366%40astra-import-export&new=2368366%40astra-import-export&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/194face3-36ac-4137-af9a-0b98f60e3afb?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36738

Première publication le : 01-07-2023 04:15:10
Dernière modification le : 01-07-2023 04:15:10

Description :
The Cool Timeline (Horizontal & Vertical Timeline) plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the ctl_save() function. This makes it possible for unauthenticated attackers to save field icons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36738
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset/2368335/cool-timeline/trunk/fa-icons/fa-icons-class.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/1ce7c895-e94c-46bd-9de1-f5fde29c3475?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36739

Première publication le : 01-07-2023 04:15:10
Dernière modification le : 01-07-2023 04:15:10

Description :
The Feed Them Social – Page, Post, Video, and Photo Galleries plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.6. This is due to missing or incorrect nonce validation on the my_fts_fb_load_more() function. This makes it possible for unauthenticated attackers to load feeds via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36739
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2369818%40feed-them-social&new=2369818%40feed-them-social&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/1fcbe3d1-449c-4135-bbf5-9ea9236e5328?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4384

Première publication le : 01-07-2023 04:15:10
Dernière modification le : 01-07-2023 04:15:10

Description :
The WordPress Photo Gallery – Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the load_images_thumbnail() and edit_gallery() functions. This makes it possible for unauthenticated attackers to edit galleries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4384
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/browser/photo-contest/tags/1.0.6/includes/admin/admin-page-galleries.php#L102 | source : security@wordfence.com
https://plugins.trac.wordpress.org/browser/photo-contest/tags/1.0.6/includes/view/ajax-function.php#L559 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/1355bc94-7110-4d61-855e-78889e58dcad?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4387

Première publication le : 01-07-2023 04:15:10
Dernière modification le : 01-07-2023 04:15:10

Description :
The Opal Estate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.11. This is due to missing or incorrect nonce validation on the opalestate_set_feature_property() and opalestate_remove_feature_property() functions. This makes it possible for unauthenticated attackers to set and remove featured properties via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4387
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/browser/opal-estate/trunk/inc/ajax-functions.php#L177 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/2645899c-2b6b-48bd-8f33-2a837a951c5e?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36740

Première publication le : 01-07-2023 05:15:14
Dernière modification le : 01-07-2023 05:15:14

Description :
The Radio Buttons for Taxonomies plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the save_single_term() function. This makes it possible for unauthenticated attackers to save terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36740
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2368215%40radio-buttons-for-taxonomies&new=2368215%40radio-buttons-for-taxonomies&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/26a246c3-cf67-4566-b1e8-dc14c3c5c827?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36741

Première publication le : 01-07-2023 05:15:15
Dernière modification le : 01-07-2023 05:15:15

Description :
The MultiVendorX plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.7. This is due to missing or incorrect nonce validation on the submit_comment() function. This makes it possible for unauthenticated attackers to submit comments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36741
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/tags/3.5.8/classes/class-wcmp-vendor-dashboard.php?rev=2381617#L432 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/2c3d9fa7-8ea2-4213-8b28-2ca9191a8223?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36742

Première publication le : 01-07-2023 05:15:15
Dernière modification le : 01-07-2023 05:15:15

Description :
The Custom Field Template plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.1. This is due to missing or incorrect nonce validation on the edit_meta_value() function. This makes it possible for unauthenticated attackers to edit meta field values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36742
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2368204%40custom-field-template&new=2368204%40custom-field-template&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/3444c4b0-4619-482f-8313-d3006aa1e845?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36743

Première publication le : 01-07-2023 05:15:15
Dernière modification le : 01-07-2023 05:15:15

Description :
The Product Catalog Simple plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.13. This is due to missing or incorrect nonce validation on the implecode_save_products_meta() function. This makes it possible for unauthenticated attackers to update product meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36743
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset/2368377/post-type-x/trunk/core/includes/register-product.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/36e098fe-d1f9-4c8f-ae6b-222cbd5976b2?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36744

Première publication le : 01-07-2023 05:15:15
Dernière modification le : 01-07-2023 05:15:15

Description :
The NotificationX plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.2. This is due to missing or incorrect nonce validation on the generate_conversions() function. This makes it possible for unauthenticated attackers to generate conversions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36744
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset/2368331/notificationx/trunk/public/class-nx-public.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/3ebe7680-a76d-4178-a729-f0d79d861912?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36745

Première publication le : 01-07-2023 05:15:15
Dernière modification le : 01-07-2023 05:15:15

Description :
The WP Project Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.0. This is due to missing or incorrect nonce validation on the do_updates() function. This makes it possible for unauthenticated attackers to trigger updates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36745
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/browser/wedevs-project-manager/tags/2.4.1/core/Upgrades/Upgrade.php?rev=2368374#L179 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/456c13f5-4a8b-4eea-a2a0-f37f8508551b?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4388

Première publication le : 01-07-2023 05:15:15
Dernière modification le : 01-07-2023 05:15:15

Description :
The Opal Estate plugin for WordPress is vulnerable to featured property modifications in versions up to, and including, 1.6.11. This is due to missing capability checks on the opalestate_set_feature_property() and opalestate_remove_feature_property() functions. This makes it possible for unauthenticated attackers to set and remove featured properties.

CVE ID : CVE-2021-4388
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/browser/opal-estate/trunk/inc/ajax-functions.php#L177 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/5ce729a2-a106-45ab-b96c-cfe75246def7?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-862


Vulnérabilité ID : CVE-2021-4389

Première publication le : 01-07-2023 05:15:15
Dernière modification le : 01-07-2023 05:15:15

Description :
The WP Travel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.6. This is due to missing or incorrect nonce validation on the save_meta_data() function. This makes it possible for unauthenticated attackers to save metadata for travel posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4389
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset/2477827/wp-travel/tags/4.4.7/inc/admin/class-admin-metaboxes.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/28dea1e9-e772-488e-b98f-93a46ab84581?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4390

Première publication le : 01-07-2023 05:15:15
Dernière modification le : 01-07-2023 05:15:15

Description :
The Contact Form 7 Style plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2. This is due to missing or incorrect nonce validation on the manage_wp_posts_be_qe_save_post() function. This makes it possible for unauthenticated attackers to quick edit templates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4390
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/browser/contact-form-7-style/trunk/cf7-style-meta-box.php#L546 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/2972cdaf-2d0a-4b55-b4f5-ccf01ff5352c?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4391

Première publication le : 01-07-2023 05:15:15
Dernière modification le : 01-07-2023 05:15:15

Description :
The Ultimate Gift Cards for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the mwb_wgm_save_post() function. This makes it possible for unauthenticated attackers to modify product gift card details via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4391
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/browser/woo-gift-cards-lite/tags/2.1.2/admin/class-woocommerce-gift-cards-lite-admin.php?rev=2549904#L461 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/2da322ea-0206-4838-8ac4-9dd201bb00bc?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4392

Première publication le : 01-07-2023 05:15:15
Dernière modification le : 01-07-2023 05:15:15

Description :
The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.9.43. This is due to missing or incorrect nonce validation on the implecode_save_products_meta() function. This makes it possible for unauthenticated attackers to save product meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4392
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2368356%40ecommerce-product-catalog&new=2368356%40ecommerce-product-catalog&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/2eb963dd-41c3-43cd-afb7-1be054829ea3?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4393

Première publication le : 01-07-2023 05:15:15
Dernière modification le : 01-07-2023 05:15:15

Description :
The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.17. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to save manual digital orders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4393
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset/2473569/ecommerce-product-catalog/trunk/modules/cart/includes/orders/includes/register-digital-orders.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/12ecf3d5-1457-405a-8856-517c7d2f2db1?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36746

Première publication le : 01-07-2023 06:15:09
Dernière modification le : 01-07-2023 06:15:09

Description :
The Menu Swapper plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.0.2. This is due to missing or incorrect nonce validation on the mswp_save_meta() function. This makes it possible for unauthenticated attackers to save meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36746
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2368729%40menu-swapper&new=2368729%40menu-swapper&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/49a04155-9fa8-45e0-b80b-3836d5271fa7?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36747

Première publication le : 01-07-2023 06:15:09
Dernière modification le : 01-07-2023 06:15:09

Description :
The Lightweight Sidebar Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.4. This is due to missing or incorrect nonce validation on the metabox_save() function. This makes it possible for unauthenticated attackers to save metbox data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36747
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2368387%40sidebar-manager&new=2368387%40sidebar-manager&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/844c5012-f823-46ae-8de2-e2803b7cd063?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36748

Première publication le : 01-07-2023 06:15:09
Dernière modification le : 01-07-2023 06:15:09

Description :
The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. This is due to missing or incorrect nonce validation on the handle_order_export() function. This makes it possible for unauthenticated attackers to trigger an order export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36748
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset/2368433/dokan-lite/trunk/includes/Dashboard/Templates/Orders.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/894c875a-078f-4c1f-83d2-4a6e4a309c3e?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2020-36749

Première publication le : 01-07-2023 06:15:09
Dernière modification le : 01-07-2023 06:15:09

Description :
The Easy Testimonials plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6.1. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to save custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2020-36749
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2370405%40easy-testimonials&new=2370405%40easy-testimonials&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/8da49c2e-576c-490b-b812-96d15b6d2b1b?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4395

Première publication le : 01-07-2023 06:15:09
Dernière modification le : 01-07-2023 06:15:09

Description :
The Abandoned Cart Recovery for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the get_items() and extra_tablenav() functions. This makes it possible for unauthenticated attackers to perform read-only actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4395
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2550169%40woo-abandoned-cart-recovery&new=2550169%40woo-abandoned-cart-recovery&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/45b627f9-e7c6-4bf6-b1c7-d607f3e083f8?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4396

Première publication le : 01-07-2023 06:15:09
Dernière modification le : 01-07-2023 06:15:09

Description :
The Rucy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.4.4. This is due to missing or incorrect nonce validation on the save_rc_post_meta() function. This makes it possible for unauthenticated attackers to save post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4396
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/browser/rucy/trunk/inc/class-rucy-editor.php#L237 | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/595d0401-55b9-418e-8b99-48b23e9a2662?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4397

Première publication le : 01-07-2023 06:15:09
Dernière modification le : 01-07-2023 06:15:09

Description :
The Staff Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to save custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4397
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2548539%40staff-directory-pro&new=2548539%40staff-directory-pro&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/5971447d-0634-49a5-91d0-c4f0c0825a86?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4399

Première publication le : 01-07-2023 06:15:09
Dernière modification le : 01-07-2023 06:15:09

Description :
The Edwiser Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,2.0.6. This is due to missing or incorrect nonce validation on the user_data_synchronization_initiater(), course_synchronization_initiater(), users_link_to_moodle_synchronization(), connection_test_initiater(), admin_menus(), and subscribe_handler() function. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4399
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2478642%40edwiser-bridge&new=2478642%40edwiser-bridge&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/6450dafd-5992-4831-87af-e5e47cc8663e?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4400

Première publication le : 01-07-2023 06:15:09
Dernière modification le : 01-07-2023 06:15:09

Description :
The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the bsearch_process_settings_import() and bsearch_process_settings_export() functions. This makes it possible for unauthenticated attackers to import and export settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4400
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2473344%40better-search&new=2473344%40better-search&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/7acbcf74-2bae-412b-bf9d-70287a91deea?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4402

Première publication le : 01-07-2023 06:15:10
Dernière modification le : 01-07-2023 06:15:10

Description :
The Multiple Roles plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the mu_add_roles_in_signup_meta() and mu_add_roles_in_signup_meta_recently() functions. This makes it possible for unauthenticated attackers to add additional roles to users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4402
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2556328%40multiple-roles&new=2556328%40multiple-roles&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/862fa0c3-c16f-493e-9bf6-92debc0e30f6?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4403

Première publication le : 01-07-2023 06:15:10
Dernière modification le : 01-07-2023 06:15:10

Description :
The Remove Schema plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the validate() function. This makes it possible for unauthenticated attackers to modify the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4403
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2548575%40remove-schema&new=2548575%40remove-schema&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/89635463-966d-4f7d-995d-ad83a502d95b?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4404

Première publication le : 01-07-2023 06:15:10
Dernière modification le : 01-07-2023 06:15:10

Description :
The Event Espresso 4 Decaf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.10.11. This is due to missing or incorrect nonce validation on the ajaxHandler() function. This makes it possible for unauthenticated attackers to op into notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4404
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset/2554360/event-espresso-decaf/trunk/core/domain/services/pue/Stats.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/89d3a9da-2496-4f75-ad8f-65629f198fe5?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


Vulnérabilité ID : CVE-2021-4405

Première publication le : 01-07-2023 06:15:10
Dernière modification le : 01-07-2023 06:15:10

Description :
The ElasticPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the epio_send_autosuggest_allowed() function. This makes it possible for unauthenticated attackers to send allowed parameters for autosuggest to elasticpress[.]io via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE ID : CVE-2021-4405
Source : security@wordfence.com
Score CVSS : 4.3

Références :
https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4/ | source : security@wordfence.com
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/ | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset/2473455/elasticpress/trunk/includes/classes/Feature/Autosuggest/Autosuggest.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/8ab8eb9d-1427-4e99-8986-179147e0862e?source=cve | source : security@wordfence.com

Vulnérabilité : CWE-352


(1) Vulnérabilité(s) LOW [0.1, 3.9]

Vulnérabilité ID : CVE-2021-42307

Première publication le : 01-07-2023 00:15:09
Dernière modification le : 01-07-2023 00:15:09

Description :
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

CVE ID : CVE-2021-42307
Source : secure@microsoft.com
Score CVSS : 3.1

Références :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42307 | source : secure@microsoft.com


Ce site web utilise l'API de la NVD, mais n'est pas approuvé ou certifié par la NVD.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.