Filtered by vendor Wpmudev Subscriptions
Total 17 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-10580 1 Wpmudev 1 Hustle 2024-11-27 5.3 Medium
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized form submissions due to a missing capability check on the submit_form() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to submit unpublished forms.
CVE-2024-9700 1 Wpmudev 1 Forminator Forms 2024-11-25 5.3 Medium
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions.
CVE-2024-6554 1 Wpmudev 1 Branda 2024-11-21 5.3 Medium
The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.18. This is due the plugin utilizing composer without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
CVE-2024-5191 1 Wpmudev 1 Branda 2024-11-21 6.4 Medium
The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-37239 1 Wpmudev 1 Branda 2024-11-21 5.9 Medium
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPMU DEV Branda allows Stored XSS.This issue affects Branda: from n/a through 3.4.17.
CVE-2024-28890 1 Wpmudev 1 Broken Link Checker 2024-11-21 5.3 Medium
Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition.
CVE-2023-5949 1 Wpmudev 1 Smartcrawl 2024-11-21 7.5 High
The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthorised users from accessing password-protected posts' content.
CVE-2023-5089 1 Wpmudev 1 Defender Security 2024-11-21 5.3 Medium
The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.
CVE-2023-51490 1 Wpmudev 1 Defender Security 2024-11-21 5.3 Medium
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPMU DEV Defender Security – Malware Scanner, Login Security & Firewall.This issue affects Defender Security – Malware Scanner, Login Security & Firewall: from n/a through 4.1.0.
CVE-2022-1009 1 Wpmudev 1 Smush Image Compression And Optimization 2024-11-21 6.1 Medium
The Smush WordPress plugin before 3.9.9 does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin to upload a malicious configuration file
CVE-2021-4425 1 Wpmudev 1 Defender Security 2024-11-21 4.3 Medium
The Defender Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.6. This is due to missing or incorrect nonce validation on the verify_otp_login_time() function. This makes it possible for unauthenticated attackers to verify a one time login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2017-18511 1 Wpmudev 1 Custom Sidebars 2024-11-21 N/A
The custom-sidebars plugin before 3.0.8.1 for WordPress has CSRF.
CVE-2017-18510 1 Wpmudev 1 Custom Sidebars 2024-11-21 N/A
The custom-sidebars plugin before 3.1.0 for WordPress has CSRF related to set location, import actions, and export actions.
CVE-2017-15079 1 Wpmudev 1 Smush Image Compression And Optimization 2024-11-21 N/A
The Smush Image Compression and Optimization plugin before 2.7.6 for WordPress allows directory traversal.
CVE-2015-10098 1 Wpmudev 1 Broken Link Checker 2024-11-21 3.5 Low
A vulnerability was found in Broken Link Checker Plugin up to 1.10.5 on WordPress. It has been rated as problematic. Affected by this issue is the function print_module_list/show_warnings_section_notice/status_text/ui_get_action_links. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.10.6 is able to address this issue. The name of the patch is f30638869e281461b87548e40b517738b4350e47. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-225152.
CVE-2024-37444 1 Wpmudev 1 Defender Security 2024-11-01 5.3 Medium
Missing Authorization vulnerability in WPMU DEV Defender Security allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Defender Security: from n/a through 4.7.1.
CVE-2024-43117 1 Wpmudev 1 Hummingbird 2024-09-18 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in WPMU DEV Hummingbird.This issue affects Hummingbird: from n/a through 3.9.1.