Logo
Retour à la veille

CVE-2026-9719

Publié : 6 juin 2026
Modifié : 6 juin 2026
Lien officiel NVD
Score CVSS
4.3
MEDIUM

Description détaillée

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the change_status function. This makes it possible for unauthenticated attackers to change the status of arbitrary invoices — including marking unpaid invoices as paid — without administrator consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Références et Patchs

https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.0/lib/controllers/invoices_controller.php#L234https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.0/lib/controllers/invoices_controller.php#L246https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.0/lib/helpers/params_helper.php#L12https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.0/lib/controllers/invoices_controller.php#L234https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.0/lib/controllers/invoices_controller.php#L246https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.0/lib/helpers/params_helper.php#L12https://plugins.trac.wordpress.org/changeset/3553094/latepointhttps://www.wordfence.com/threat-intel/vulnerabilities/id/c720fffe-c089-450a-ac5f-1138c1c223d9?source=cve

Dernières Vulnérabilités

CVE-2026-9290

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

VOIR DÉTAILS

CVE-2026-8976

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users.

VOIR DÉTAILS

CVE-2026-8900

The Simple SEO Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress KSES does not strip malicious shortcode attribute values on post save, allowing contributor-level users to persist payloads that execute for any visitor, including administrators reviewing the post.

VOIR DÉTAILS