CVE-2019-25214

HIGH Year: 2019
CVSS v3 Score
7.2
High
Weakness Type
CWE-862
View all →

Vulnerability Description

The ShopWP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST API routes in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to call the endpoints and perform unauthorized actions such as updating the plugin's settings and injecting malicious scripts.

Related Vulnerabilities

CVE-2009-3168

HIGH
CVSS:7.2(High)

Mevin Productions Basic PHP Events Lister 2.0 does not properly restrict access to (1) admin/reset.php and (2) admin/user_add.php, which allows remote authenticated users to reset administrative passw...

CWE-8622009

CVE-2012-6614

HIGH
CVSS:7.2(High)

D-Link DSR-250N devices before 1.08B31 allow remote authenticated users to obtain "persistent root access" via the BusyBox CLI, as demonstrated by overwriting the super user password.

CWE-8622012

CVE-2018-15327

HIGH
CVSS:7.2(High)

In BIG-IP 14.0.0-14.0.0.2 or 13.0.0-13.1.1.1 or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also referred to as the ...

CWE-8622018

CVE-2018-15329

HIGH
CVSS:7.2(High)

On BIG-IP 14.0.0-14.0.0.2, 13.0.0-13.1.1.1, or 12.1.0-12.1.3.7, or Enterprise Manager 3.1.1, when authenticated administrative users run commands in the Traffic Management User Interface (TMUI), also ...

CWE-8622018

CVE-2019-0349

HIGH
CVSS:7.2(High)

SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT,...

CWE-8622019

CVE-2019-12168

HIGH
CVSS:7.2(High)

Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.

CWE-8622019