Common Vulnerabilities

The plugin does not have proper authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org repository.

The plugin does not have proper authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.org repository.

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.

The plugin does not sanitize and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting (XSS) attacks.

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check when deleting popups, which could allow unauthenticated users to delete them.

The plugin does not have authorization and Cross-Site Request Forgery (CSRF) check when creating/updating popups, and is missing sanitisation as well as escaping, which could allow unauthenticated attackers to create arbitrary popups and add Stored Cross-Site Scripting (XSS) payloads as well.

The plugin does not sanitize and escapes some parameters, which could allow users with a role as low as contributor to perform Cross-Site Scripting (XSS) attacks.

The plugin does not prevent subscribers from updating a site’s feed access token, which may deny other users access to the functionality in certain configurations.

The plugin does not prevent users with low privileges (like subscribers) from accessing sensitive system information.

The plugin does not have Cross-Site Request Forgery (CSRF) check when deleting a client, and does not ensure that the object to be deleted is actually a client, which could allow attackers to make a logged in admin delete arbitrary client and post via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs.

The plugin does not ensure that the post retrieved via an AJAX action is public and can be accessed by the user making the request, allowing unauthenticated attackers to get the content of arbitrary posts, including draft/private as well as password-protected ones.

The plugin does not sanitize and escape client ids, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in the stm_wpcfto_get_settings AJAX action, which could allow any authenticated users to call it and retrieve meeting’s data.

The plugin does not have Cross-Site Request Forgery (CSRF) check when updating user social login option, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in the wd_search_cf AJAX action, which could allow any authenticated users to call it and retrieve arbitrary post metadata.

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in the phone-orders-for-woocommerce AJAX action, which could allow any authenticated users to call it and retrieve user’s personal data.

The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.