Common Vulnerabilities

The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have Cross-Site Request Forgery (CSRF) check when submitting feedback, which could allow attackers to make logged in users do such action on their behalf via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

The plugin does not have Cross-Site Request Forgery (CSRF) check in some places, which could allow attackers to make logged-in users perform unwanted actions.

The plugin does not have proper Cross-Site Request Forgery (CSRF) check in some places, for example when importing shortcodes, which could allow attackers to make logged in admins perform unwanted actions via Cross-Site Request Forgery (CSRF) attacks.

The plugin does not have Cross-Site Request Forgery (CSRF) check in place when updating its settings, which could allow attackers to make a logged in admin change them via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have proper Cross-Site Request Forgery (CSRF) check in some places, which could allow attackers to make logged in admins perform unwanted actions via Cross-Site Request Forgery (CSRF) attacks.

The plugin does not authorisation and does not sanitize as well as escape some parameters, which could allow users with a role as low as subscriber to perform Stored Cross-Site Scripting (XSS) attacks.

The plugin does not have Cross-Site Request Forgery (CSRF) check when modify the thumbnail, which could allow attackers to make logged in users with the edit_post capability to perform such action via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have Cross-Site Request Forgery (CSRF) check when updating an image location, which could allow attackers to make logged in users perform such action via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, which could allow any authenticated users, such as subscriber to copy the gallery files to another folder.

The plugin does not have Cross-Site Request Forgery (CSRF) check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored Cross-Site Scripting (XSS).

The plugin does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privileged users such as admin.

The plugin does not have Cross-Site Request Forgery (CSRF) check in place when deleting cursors, which could allow attackers to made a logged in admin delete arbitrary cursors via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, which could make the blog unavailable.

The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

The plugin does not sanitize and escape some of its settings, which could allow high privilege users with a role as low as Shop Manager to perform Stored Cross-Site Scripting (XSS) attacks.

The plugin is lacking Cross-Site Request Forgery (CSRF) check in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin’s license.

The plugin is lacking Cross-Site Request Forgery (CSRF) check in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin’s license.

The plugin is lacking Cross-Site Request Forgery (CSRF) check in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin’s license.

The plugin is lacking Cross-Site Request Forgery (CSRF) check in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin’s license.

The plugin is lacking Cross-Site Request Forgery (CSRF) check in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin’s license.

The plugin does not have Cross-Site Request Forgery (CSRF) check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored Cross-Site Scripting (XSS) payloads via a Cross-Site Request Forgery (CSRF) attack.

The plugin does not have authorisation and Cross-Site Request Forgery (CSRF) check when reseting plugin settings, which could allow authenticated users to reset them.