Total
437 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-10245 | 2024-11-12 | N/A | 9.8 CRITICAL | ||
|
The Relais 2FA plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0. This is due to incorrect authentication and capability checking in the 'rl_do_ajax' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
|
|||||
| CVE-2024-50334 | 1 Erudika | 1 Scoold | 2024-11-08 | N/A | 5.3 MEDIUM |
|
Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT requests on the /api;/config endpoint while setting the Content-Type: application/hocon header allow unauthenticated attackers to file reading via HOCON file inclusion. This allows attackers to retrieve sens ...
Show More |
|||||
| CVE-2024-9989 | 1 Odude | 1 Crypto Tool | 2024-11-07 | N/A | 9.8 CRITICAL |
|
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
|
|||||
| CVE-2024-9988 | 1 Odude | 1 Crypto Tool | 2024-11-07 | N/A | 9.8 CRITICAL |
|
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due to missing validation on the user being supplied in the 'crypto_connect_ajax_process::register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
|
|||||
| CVE-2024-49675 | 1 Vitaliibryl | 1 Switch User | 2024-11-06 | N/A | 8.8 HIGH |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Vitalii Bryl iBryl Switch User allows Authentication Bypass.This issue affects iBryl Switch User: from n/a through 1.0.1.
|
|||||
| CVE-2024-9488 | 1 Gvectors | 1 Wpdiscuz | 2024-11-06 | N/A | 9.8 CRITICAL |
|
The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
|
|||||
| CVE-2024-47406 | 2 Sharp, Toshibatec | 640 Bp-30c25, Bp-30c25 Firmware, Bp-30c25t and 637 more | 2024-11-05 | N/A | 9.8 CRITICAL |
|
Sharp and Toshiba Tec MFPs improperly process HTTP authentication requests, resulting in an authentication bypass vulnerability.
|
|||||
| CVE-2024-50503 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Deryck Oñate User Toolkit allows Authentication Bypass.This issue affects User Toolkit: from n/a through 1.2.3.
|
|||||
| CVE-2024-50488 | 1 Priyabratasarkar | 1 Token Login | 2024-10-31 | N/A | 8.8 HIGH |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Priyabrata Sarkar Token Login allows Authentication Bypass.This issue affects Token Login: from n/a through 1.0.3.
|
|||||
| CVE-2024-50477 | 1 Stacksmarket | 1 Stacks Mobile App Builder | 2024-10-31 | N/A | 9.8 CRITICAL |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Stacks Stacks Mobile App Builder stacks-mobile-app-builder allows Authentication Bypass.This issue affects Stacks Mobile App Builder: from n/a through 5.2.3.
|
|||||
| CVE-2024-50487 | 1 Maantheme | 1 Maanstore Api | 2024-10-31 | N/A | 9.8 CRITICAL |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in MaanTheme MaanStore API allows Authentication Bypass.This issue affects MaanStore API: from n/a through 1.0.1.
|
|||||
| CVE-2024-50489 | 1 Realtyworkstation | 1 Realty Workstation | 2024-10-31 | N/A | 9.8 CRITICAL |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Realty Workstation allows Authentication Bypass.This issue affects Realty Workstation: from n/a through 1.0.45.
|
|||||
| CVE-2024-50486 | 1 Acnoo | 1 Flutter Api | 2024-10-29 | N/A | 9.8 CRITICAL |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API allows Authentication Bypass.This issue affects Acnoo Flutter API: from n/a through 1.0.5.
|
|||||
| CVE-2024-9501 | 2024-10-28 | N/A | 9.8 CRITICAL | ||
|
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.0.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
|
|||||
| CVE-2024-9931 | 2024-10-28 | N/A | 9.8 CRITICAL | ||
|
The Wux Blog Editor plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.0. This is due to missing validation on the token being supplied during the autologin through the plugin. This makes it possible for unauthenticated attackers to log in to the first administrator user.
|
|||||
| CVE-2024-9930 | 2024-10-28 | N/A | 9.8 CRITICAL | ||
|
The Extensions by HocWP Team plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2.3.2. This is due to missing validation on the user being supplied in the 'verify_email' action. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator. The vulnerability is in the Account extension.
|
|||||
| CVE-2024-9890 | 2024-10-28 | N/A | 8.8 HIGH | ||
|
The User Toolkit plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.3. This is due to an improper capability check in the 'switchUser' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator.
|
|||||
| CVE-2024-9933 | 2024-10-28 | N/A | 9.8 CRITICAL | ||
|
The WatchTowerHQ plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.6. This is due to the 'watchtower_ota_token' default value is empty, and the not empty check is missing in the 'Password_Less_Access::login' function. This makes it possible for unauthenticated attackers to log in to the WatchTowerHQ client administrator user.
|
|||||
| CVE-2024-10002 | 1 Roveridx | 1 Rover Idx | 2024-10-25 | N/A | 8.8 HIGH |
|
The Rover IDX plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0.0.2905. This is due to insufficient validation and capability check on the 'rover_idx_refresh_social_callback' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in to administrator. The vulnerability is partially patched in version 3.0.0.2905 and fully patched in version 3.0.0.2906.
|
|||||
| CVE-2024-49328 | 1 Vivektamrakar | 1 Wp Rest Api Fns | 2024-10-23 | N/A | 9.8 CRITICAL |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Vivek Tamrakar WP REST API FNS allows Authentication Bypass.This issue affects WP REST API FNS: from n/a through 1.0.0.
|
|||||
| CVE-2024-49604 | 1 Najeebmedia | 1 Simple User Registration | 2024-10-23 | N/A | 9.8 CRITICAL |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Najeeb Ahmad Simple User Registration allows Authentication Bypass.This issue affects Simple User Registration: from n/a through 5.5.
|
|||||
| CVE-2024-9105 | 2024-10-16 | N/A | 9.8 CRITICAL | ||
|
The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. This is due to insufficient verification on the user being supplied in the 'ultimate_ai_register_or_login_with_google' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
|
|||||
| CVE-2024-49247 | 2024-10-16 | N/A | 9.8 CRITICAL | ||
|
: Authentication Bypass Using an Alternate Path or Channel vulnerability in sooskriszta, webforza BuddyPress Better Registration allows : Authentication Bypass.This issue affects BuddyPress Better Registration: from n/a through 1.6.
|
|||||
| CVE-2024-9893 | 2024-10-16 | N/A | 9.8 CRITICAL | ||
|
The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.1.14. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
|
|||||
| CVE-2024-47010 | 1 Ivanti | 1 Avalanche | 2024-10-16 | N/A | 9.8 CRITICAL |
|
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
|
|||||
| CVE-2024-47009 | 1 Ivanti | 1 Avalanche | 2024-10-16 | N/A | 9.8 CRITICAL |
|
Path Traversal in Ivanti Avalanche before version 6.4.5 allows a remote unauthenticated attacker to bypass authentication.
|
|||||
| CVE-2024-9522 | 1 Lagunaisw | 1 Wp Users Masquerade | 2024-10-15 | N/A | 8.8 HIGH |
|
The WP Users Masquerade plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.0. This is due to incorrect authentication and capability checking in the 'ajax_masq_login' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator.
|
|||||
| CVE-2024-9289 | 1 Redefiningtheweb | 1 Affiliate Pro | 2024-10-07 | N/A | 9.8 CRITICAL |
|
The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's email.
|
|||||
| CVE-2024-9106 | 2024-10-04 | N/A | 9.8 CRITICAL | ||
|
The Wechat Social login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.3.0. This is due to insufficient verification on the user being supplied during the social login. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This is only exploitable if the app secret is not set, so it has a default empty value.
|
|||||
| CVE-2024-7781 | 1 Artbees | 1 Jupiter X Core | 2024-10-02 | N/A | 9.8 CRITICAL |
|
The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social Login widget. This makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts. Attackers can exploit the vulnerability even if the Social Login element has been disabled, as long as it was previously enabled and used. The vul ...
Show More |
|||||
| CVE-2024-43692 | 1 Doverfuelingsolutions | 4 Progauge Maglink Lx4 Console, Progauge Maglink Lx4 Console Firmware, Progauge Maglink Lx Console and 1 more | 2024-10-01 | N/A | 9.8 CRITICAL |
|
An attacker can directly request the ProGauge MAGLINK LX CONSOLE
resource sub page with full privileges by requesting the URL directly.
|
|||||
| CVE-2024-8277 | 1 Villatheme | 1 Woocommerce Photo Reviews | 2024-09-26 | N/A | 9.8 CRITICAL |
|
The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as an ...
Show More |
|||||
| CVE-2024-41173 | 1 Beckhoff | 2 Ipc Diagnostics Package, Twincat\/bsd | 2024-09-12 | N/A | 7.8 HIGH |
|
The IPC-Diagnostics package included in TwinCAT/BSD is vulnerable to a local authentication bypass by a low privileged attacker.
|
|||||
| CVE-2024-35151 | 1 Ibm | 2 Openpages Grc Platform, Openpages With Watson | 2024-08-23 | N/A | 6.5 MEDIUM |
|
IBM OpenPages with Watson 8.3 and 9.0 could allow authenticated users access to sensitive information through improper authorization controls on APIs.
|
|||||
| CVE-2024-35124 | 1 Ibm | 1 Openbmc | 2024-08-22 | N/A | 7.5 HIGH |
|
A vulnerability in the combination of the OpenBMC's FW1050.00 through FW1050.10, FW1030.00 through FW1030.50, and FW1020.00 through FW1020.60 default password and session management allow an attacker to gain administrative access to the BMC. IBM X-Force ID: 290674.
|
|||||
| CVE-2024-6684 | 2024-08-13 | N/A | N/A | ||
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in GST Electronics inohom Nova Panel N7 allows Authentication Bypass.This issue affects inohom Nova Panel N7: through 1.9.9.6. NOTE: The vendor was contacted and it was learned that the product is not supported.
|
|||||
| CVE-2024-7350 | 2024-08-08 | N/A | 9.8 CRITICAL | ||
|
The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin not properly verifying a user's identity prior to logging them in when completing a booking. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they have access to that user's email. This is only exploitable when the 'Auto login user after ...
Show More |
|||||