Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-1090 | 1 Imagerecycle | 1 Imagerecycle Pdf \& Image Compression | 2024-12-27 | N/A | 4.3 MEDIUM |
|
The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the stopOptimizeAll function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify image optimization settings.
|
|||||
| CVE-2024-1089 | 1 Imagerecycle | 1 Imagerecycle Pdf \& Image Compression | 2024-12-27 | N/A | 4.3 MEDIUM |
|
The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the optimizeAllOn function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify image optimization settings.
|
|||||
| CVE-2023-36504 | 1 Bbsetheme | 1 Bbs E-popup | 2024-12-26 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in BBS e-Theme BBS e-Popup.This issue affects BBS e-Popup: from n/a through 2.4.5.
|
|||||
| CVE-2024-11281 | 2024-12-25 | N/A | 9.8 CRITICAL | ||
|
The WooCommerce Point of Sale plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0. This is due to insufficient validation on the 'logged_in_user_id' value when option values are empty and the ability for attackers to change the email of arbitrary user accounts. This makes it possible for unauthenticated attackers to change the email of arbitrary user accounts, including administrators, and reset their password to gain access to the account.
|
|||||
| CVE-2024-12413 | 2024-12-25 | N/A | 5.3 MEDIUM | ||
|
The MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions like 'marketking_delete_team_member', 'marketkingrejectuser', 'marketking_save_profile_settings', and many more in all versions up to, and including, 2.0.00. This makes it possible for unauthenticated attackers to delete users, update settings, approve users, and more.
|
|||||
| CVE-2024-12190 | 2024-12-25 | N/A | 4.3 MEDIUM | ||
|
The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the bitform-form-entry-edit endpoint in all versions up to, and including, 2.17.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all form submissions from other users.
|
|||||
| CVE-2024-12881 | 2024-12-24 | N/A | 8.8 HIGH | ||
|
The PlugVersions – Easily rollback to previous versions of your plugins plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the eos_plugin_reviews_restore_version() function in all versions up to, and including, 0.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary files leveraging files included locally.
|
|||||
| CVE-2024-12594 | 2024-12-24 | N/A | 8.8 HIGH | ||
|
The Custom Login Page Styler – Login Protected Private Site , Change wp-admin login url , WordPress login logo , Temporary admin login access , Rename login , Login customizer, Hide wp-login – Limit Login Attempts – Locked Site plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'lps_generate_temp_access_url' AJAX action in all versions up to, and including, 7.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and ...
Show More |
|||||
| CVE-2024-12210 | 2024-12-24 | N/A | 4.3 MEDIUM | ||
|
The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wcdn_remove_shoplogo' AJAX action in all versions up to, and including, 5.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to remove the shop's logo.
|
|||||
| CVE-2024-12617 | 2024-12-24 | N/A | 5.4 MEDIUM | ||
|
The WC Price History for Omnibus plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and modify history data.
|
|||||
| CVE-2024-12266 | 2024-12-24 | N/A | 6.5 MEDIUM | ||
|
The ELEX WooCommerce Dynamic Pricing and Discounts plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the elex_dp_export_rules() and elex_dp_import_rules() functions in all versions up to, and including, 2.1.7. This makes it possible for unauthenticated attackers to import and export product rules along with obtaining phpinfo() data
|
|||||
| CVE-2024-1093 | 1 Simon99 | 1 Change Memory Limit | 2024-12-23 | N/A | 5.3 MEDIUM |
|
The Change Memory Limit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_logic() function hooked via admin_init in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to update the memory limit.
|
|||||
| CVE-2024-12558 | 2024-12-21 | N/A | 6.5 MEDIUM | ||
|
The WP BASE Booking of Appointments, Services and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive information from the database, such as the hashed administrator password.
|
|||||
| CVE-2024-43222 | 2024-12-20 | N/A | 9.8 CRITICAL | ||
|
Missing Authorization vulnerability in SeventhQueen Sweet Date.This issue affects Sweet Date: from n/a through 3.7.3.
|
|||||
| CVE-2017-13316 | 1 Google | 1 Android | 2024-12-18 | N/A | 7.8 HIGH |
|
In checkPermissions of RecognitionService.java, there is a possible permissions bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2018-9477 | 1 Google | 1 Android | 2024-12-18 | N/A | 7.8 HIGH |
|
In the development options section of the Settings app, there is a possible authentication bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2024-54381 | 2024-12-18 | N/A | 7.1 HIGH | ||
|
Missing Authorization vulnerability in theDotstore Advance Menu Manager.This issue affects Advance Menu Manager: from n/a through 3.1.1.
|
|||||
| CVE-2018-9469 | 1 Google | 1 Android | 2024-12-18 | N/A | 7.8 HIGH |
|
In multiple functions of ShortcutService.java, there is a possible creation of a spoofed shortcut due to a missing permission check. This could lead to local escalation of privilege in a privileged app with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2024-43087 | 1 Google | 1 Android | 2024-12-18 | N/A | 7.8 HIGH |
|
In getInstalledAccessibilityPreferences of AccessibilitySettings.java, there is a possible way to hide an enabled accessibility service in the accessibility service settings due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2017-13314 | 1 Google | 1 Android | 2024-12-18 | N/A | 7.8 HIGH |
|
In setAllowOnlyVpnForUids of NetworkManagementService.java, there is a possible security settings bypass due to a missing permission check. This could lead to local escalation of privilege allowing users to access non-VPN networks, when they are supposed to be restricted to the VPN networks, with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-56008 | 2024-12-18 | N/A | 7.5 HIGH | ||
|
Missing Authorization vulnerability in spreadr Spreadr Woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Spreadr Woocommerce: from n/a through 1.0.4.
|
|||||
| CVE-2024-55997 | 2024-12-18 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Web Chunky Order Delivery & Pickup Location Date Time allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Delivery & Pickup Location Date Time: from n/a through 1.1.0.
|
|||||
| CVE-2024-52485 | 2024-12-18 | N/A | 6.5 MEDIUM | ||
|
Missing Authorization vulnerability in Yudiz Solutions Ltd. WP Menu Image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Menu Image: from n/a through 2.2.
|
|||||
| CVE-2024-11926 | 2024-12-18 | N/A | 6.5 MEDIUM | ||
|
The Travel Booking WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '__stPartnerCreateServiceRental', 'st_delete_order_item', '_st_partner_approve_booking', 'save_order_item', and '__userDenyEachInfo' functions in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify posts, delete posts and pages, approve arbitrary orders, inser ...
Show More |
|||||
| CVE-2024-12259 | 2024-12-18 | N/A | 8.8 HIGH | ||
|
The CRM WordPress Plugin – RepairBuddy plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.8120. This is due to the plugin not properly validating a user's identity prior to updating their email through the wc_update_user_data AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the ...
Show More |
|||||
| CVE-2024-43088 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In multiple functions in AppInfoBase.java, there is a possible way to manipulate app permission settings belonging to another user on the device due to a missing permission check. This could lead to local escalation of privilege across user boundaries with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-43089 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In updateInternal of MediaProvider.java , there is a possible access of another app's files due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2023-21141 | 1 Google | 1 Android | 2024-12-17 | N/A | 5.5 MEDIUM |
|
In several functions of several files, there is a possible way to access developer mode traces due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-262244249
|
|||||
| CVE-2024-34719 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In multiple locations, there is a possible permissions bypass due to a missing null check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-40661 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In mayAdminGrantPermission of AdminRestrictedPermissionsUtils.java, there is a possible way to access the microphone due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-40671 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In DevmemIntChangeSparse2 of devicemem_server.c, there is a possible way to achieve arbitrary code execution due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-45493 | 2024-12-17 | N/A | 9.8 CRITICAL | ||
|
An issue was discovered in MSA FieldServer Gateway 5.0.0 through 6.5.2 (Fixed in 7.0.0). The FieldServer Gateway has internal users, whose access is supposed to be restricted to login locally on the device. However, an attacker can bypass the check for this, which might allow them to authenticate with an internal user account from the network (if they know their password).
|
|||||
| CVE-2024-40652 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In onCreate of SettingsHomepageActivity.java, there is a possible way to access the Settings app while the device is provisioning due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2024-40650 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In wifi_item_edit_content of styles.xml , there is a possible FRP bypass due to Missing check for FRP state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-31318 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In CompanionDeviceManagerService.java, there is a possible way to pair a companion device without user acceptance due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-23704 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In onCreate of WifiDialogActivity.java, there is a possible way to bypass the DISALLOW_ADD_WIFI_CONFIG restriction due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-8434 | 1 Themehunk | 1 Mega Menu | 2024-12-17 | N/A | 4.3 MEDIUM |
|
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions like updating plugin settings.
|
|||||
| CVE-2024-0038 | 1 Google | 1 Android | 2024-12-16 | N/A | 7.8 HIGH |
|
In injectInputEventToInputFilter of AccessibilityManagerService.java, there is a possible arbitrary input event injection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-56003 | 2024-12-16 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in David Cramer Caldera SMTP Mailer.This issue affects Caldera SMTP Mailer: from n/a through 1.0.1.
|
|||||
| CVE-2024-55999 | 2024-12-16 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Marco Giannini XML Multilanguage Sitemap Generator.This issue affects XML Multilanguage Sitemap Generator: from n/a through 2.0.6.
|
|||||