Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
call to action vulnerabilities and exploits
(subscribe to this query)
356
VMScore
CVE-2022-1092
The myCred WordPress plugin prior to 2.4.3.1 does not have authorisation and CSRF checks in its mycred-tools-import-export AJAX action, allowing any authenticated user to call and and retrieve the list of email address present in the blog
Mycred Mycred
NA
CVE-2022-3923
The ActiveCampaign for WooCommerce WordPress plugin prior to 1.9.8 does not have authorisation check when cleaning up its error logs via an AJAX action, which could allow any authenticated users, such as subscriber to call it and remove error logs.
Activecampaign Activecampaign For Woocommerce
445
VMScore
CVE-2021-24839
The SupportCandy WordPress plugin prior to 2.2.5 does not have authorisation and CSRF checks in its wpsc_tickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. Other actions m...
Supportcandy Supportcandy
NA
CVE-2024-29832
The current_url parameter of the AJAX call to the GalleryBox action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the current_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted...
312
VMScore
CVE-2021-25014
The Ibtana WordPress plugin prior to 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scrip...
Vowelweb Ibtana
NA
CVE-2022-3451
The Product Stock Manager WordPress plugin prior to 1.0.5 does not have authorisation and proper CSRF checks in multiple AJAX actions, allowing users with a role as low as subscriber to call them. One action in particular could allow to update arbitrary options
Addify Product Stock Manager
312
VMScore
CVE-2021-24243
An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin prior to 4.5.6 did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be triggered in all backend p...
NA
CVE-2022-3879
The Car Dealer (Dealership) and Vehicle sales WordPress Plugin WordPress plugin prior to 3.05 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.o...
Car Dealer Project Car Dealer
NA
CVE-2024-1756
The WooCommerce Customers Manager WordPress plugin prior to 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last nam...
356
VMScore
CVE-2022-0363
The myCred WordPress plugin prior to 2.4.3.1 does not have any authorisation and CSRF checks in the mycred-tools-import-export AJAX action, allowing any authenticated users, such as subscribers, to call it and import mycred setup, thus creating badges, managing points or creating...
Mycred Mycred
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injection
SSRF
buffer overflow
CVE-2023-28952
CVE-2023-41822
CVE-2024-27956
CVE-2023-7028
CVE-2024-34447
CVE-2024-34460
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
NEXT »