Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-12110 | 2024-12-06 | N/A | 4.3 MEDIUM | ||
|
The Gold Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate() and deactivate() functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate and deactivate licenses.
|
|||||
| CVE-2024-12028 | 2024-12-06 | N/A | 5.3 MEDIUM | ||
|
The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website, accept the friend request for the targeted website, and then communicate with the site as an accepted friend.
|
|||||
| CVE-2024-12027 | 2024-12-06 | N/A | 4.3 MEDIUM | ||
|
The Message Filter for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateFilter() and deleteFilter() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update and delete filters.
|
|||||
| CVE-2024-11323 | 2024-12-06 | N/A | 8.8 HIGH | ||
|
The AI Quiz | Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ai_quiz_update_style() function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registr ...
Show More |
|||||
| CVE-2024-41624 | 2024-12-05 | N/A | 6.3 MEDIUM | ||
|
Incorrect access control in Himalaya Xiaoya nano smart speaker rom_version 1.6.96 allows a remote attacker to have an unspecified impact.
|
|||||
| CVE-2024-11743 | 1 Mayurik | 1 Best House Rental Management System | 2024-12-04 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in SourceCodester Best House Rental Management System 1.0. Affected is an unknown function of the file /rental/ajax.php?action=delete_user of the component POST Request Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-11673 | 1 1000projects | 1 Bookstore Management System | 2024-12-04 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability, which was classified as problematic, has been found in 1000 Projects Bookstore Management System 1.0. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-53605 | 2024-12-04 | N/A | 7.5 HIGH | ||
|
Incorrect access control in the component content://com.handcent.messaging.provider.MessageProvider/ of Handcent NextSMS v10.9.9.7 allows attackers to access sensitive data.
|
|||||
| CVE-2024-11643 | 2024-12-04 | N/A | 8.8 HIGH | ||
|
The Accessibility by AllAccessible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'AllAccessible_save_settings' function in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and ...
Show More |
|||||
| CVE-2024-10567 | 2024-12-04 | N/A | 7.5 HIGH | ||
|
The TI WooCommerce Wishlist plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wizard' function in all versions up to, and including, 2.9.1. This makes it possible for unauthenticated attackers to create new pages, modify plugin settings, and perform limited options updates.
|
|||||
| CVE-2024-9671 | 1 Redhat | 1 3scale Api Management Platform | 2024-12-04 | N/A | 5.3 MEDIUM |
|
A vulnerability was found in 3Scale. There is no auth mechanism to see a PDF invoice of a Developer user if the URL is known. Anyone can see the invoice if the URL is known or guessed.
|
|||||
| CVE-2024-10664 | 2024-12-04 | N/A | 4.3 MEDIUM | ||
|
The Knowledge Base documentation & wiki plugin – BasePress Docs plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the basepress_db_posts_update() function in all versions up to, and including, 2.16.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the database.
|
|||||
| CVE-2024-10663 | 2024-12-04 | N/A | 4.3 MEDIUM | ||
|
The Eleblog – Elementor Blog And Magazine Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the goodbye_form_callback() function in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit a deactivation reason.
|
|||||
| CVE-2024-53938 | 2024-12-03 | N/A | 8.8 HIGH | ||
|
An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The TELNET service is enabled by default and exposed over the LAN. The root account is accessible without a password, allowing attackers to achieve full control over the router remotely without any authentication.
|
|||||
| CVE-2024-0037 | 1 Google | 1 Android | 2024-12-03 | N/A | 3.3 LOW |
|
In applyCustomDescription of SaveUi.java, there is a possible way to view images belonging to a different user due to a missing permission check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-49581 | 2024-12-02 | N/A | 6.5 MEDIUM | ||
|
Restricted Views backed objects (OSV1) could be bypassed under specific circumstances due to a software bug, this could have allowed users that didn't have permission to see such objects to view them via Object Explorer directly. This software bug did not impact or otherwise make data available across organizational boundaries nor did it allow for data to be viewed or accessed by unauthenticated users.
The affected service have been patched and automatically deployed to all Apollo-managed Foun ...
Show More |
|||||
| CVE-2024-22272 | 2024-12-02 | N/A | 4.9 MEDIUM | ||
|
VMware Cloud Director contains an Improper Privilege Management vulnerability.
An authenticated tenant administrator for a
given organization within VMware Cloud Director may be able to
accidentally disable their organization leading to a Denial of Service
for active sessions within their own organization's scope.
|
|||||
| CVE-2024-53784 | 2024-12-02 | N/A | 4.3 MEDIUM | ||
|
Missing Authorization vulnerability in E-goi Smart Marketing SMS and Newsletters Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Marketing SMS and Newsletters Forms: from n/a through 5.0.9.
|
|||||
| CVE-2024-53708 | 2024-12-02 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in AutoQuiz AI Quiz allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects AI Quiz: from n/a through 1.1.
|
|||||
| CVE-2024-31248 | 1 Plugins360 | 1 All-in-one Video Gallery | 2024-12-02 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in Team Plugins360 All-in-One Video Gallery.This issue affects All-in-One Video Gallery: from n/a through 3.5.2.
|
|||||
| CVE-2024-10900 | 1 Metagauss | 1 Profilegrid | 2024-11-29 | N/A | 6.5 MEDIUM |
|
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_remove_file_attachment() function in all versions up to, and including, 5.9.3.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary user meta which can do things like deny an administrator's access to their site. .
|
|||||
| CVE-2024-11918 | 2024-11-28 | N/A | 4.3 MEDIUM | ||
|
The Image Alt Text plugin for WordPress is vulnerable to unauthorized modification of data| due to a missing capability check on the iat_add_alt_txt_action and iat_update_alt_txt_action AJAX actions in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the alt text on arbitrary images.
|
|||||
| CVE-2024-10580 | 2024-11-27 | N/A | 5.3 MEDIUM | ||
|
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized form submissions due to a missing capability check on the submit_form() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to submit unpublished forms.
|
|||||
| CVE-2024-9941 | 1 Mojoomla | 1 Wordpress Gym Management System | 2024-11-26 | N/A | 8.8 HIGH |
|
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the MJ_gmgt_add_staff_member() function in all versions up to, and including, 67.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to create new user accounts with the administrator role.
|
|||||
| CVE-2024-11354 | 1 Codelizar | 1 Ultimate Youtube Video \& Shorts Player With Vimeo | 2024-11-26 | N/A | 4.3 MEDIUM |
|
The Ultimate YouTube Video & Shorts Player With Vimeo plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the del_ytsingvid() function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete single playlists.
|
|||||
| CVE-2024-11334 | 1 Nes360 | 1 My Contador Lesr | 2024-11-26 | N/A | 4.3 MEDIUM |
|
The My Contador lesr plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportar_registros() function in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to export user data.
|
|||||
| CVE-2024-35669 | 1 Bowo | 1 Debug Log Manager | 2024-11-26 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in Bowo Debug Log Manager.This issue affects Debug Log Manager: from n/a through 2.3.1.
|
|||||
| CVE-2024-35660 | 1 Master-addons | 1 Master Addons | 2024-11-26 | N/A | 6.5 MEDIUM |
|
Missing Authorization vulnerability in Jewel Theme Master Addons for Elementor.This issue affects Master Addons for Elementor: from n/a through 2.0.5.4.1.
|
|||||
| CVE-2022-20941 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-26 | N/A | 5.3 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an unauthenticated, remote attacker to access sensitive information.
This vulnerability is due to missing authorization for certain resources in the web-based management interface together with insufficient entropy in these resource names. An attacker could exploit this vulnerability by sending a series of HTTPS requests to an affected device to enumerate resources on the devi ...
Show More |
|||||
| CVE-2024-31252 | 1 Dfactory | 1 Responsive Lightbox \& Gallery | 2024-11-26 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in dFactory Responsive Lightbox.This issue affects Responsive Lightbox: from n/a through 2.4.6.
|
|||||
| CVE-2024-31261 | 1 Aakashweb | 1 Announcer | 2024-11-26 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in Aakash Chakravarthy Announcer – Notification & message bars.This issue affects Announcer – Notification & message bars: from n/a through 6.0.
|
|||||
| CVE-2024-33565 | 1 Ukrsolution | 1 Barcode Scanner And Inventory Manager | 2024-11-26 | N/A | 9.1 CRITICAL |
|
Missing Authorization vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.5.3.
|
|||||
| CVE-2024-33572 | 1 Posimyth | 1 Nexter Blocks | 2024-11-26 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in POSIMYTH The Plus Blocks for Block Editor | Gutenberg.This issue affects The Plus Blocks for Block Editor | Gutenberg: from n/a through 3.2.5.
|
|||||
| CVE-2024-34435 | 1 Coderevolution | 1 Aiomatic | 2024-11-26 | N/A | 4.3 MEDIUM |
|
Missing Authorization vulnerability in CodeRevolution Aiomatic.This issue affects Aiomatic: from n/a through 1.9.3.
|
|||||
| CVE-2024-10579 | 2024-11-26 | N/A | 4.3 MEDIUM | ||
|
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the preview_module() function in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view unpublished forms.
|
|||||
| CVE-2024-9756 | 1 Directsoftware | 1 Order Attachments For Woocommerce | 2024-11-25 | N/A | 4.3 MEDIUM |
|
The Order Attachments for WooCommerce plugin for WordPress is vulnerable to unauthorized limited arbitrary file uploads due to a missing capability check on the wcoa_add_attachment AJAX action in versions 2.0 to 2.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload limited file types.
|
|||||
| CVE-2024-9707 | 1 Themehunk | 1 Hunk Companion | 2024-11-25 | N/A | 9.8 CRITICAL |
|
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
|
|||||
| CVE-2024-8272 | 2024-11-25 | N/A | 7.8 HIGH | ||
|
The com.uaudio.bsd.helper service, responsible for handling privileged operations, fails to implement critical client validation during XPC inter-process communication (IPC). Specifically, the service does not verify the code requirements, entitlements, or security flags of any client attempting to establish a connection. This lack of proper validation allows unauthorized clients to exploit the service's methods and escalate privileges to root.
|
|||||
| CVE-2023-6959 | 1 Motopress | 1 Getwid | 2024-11-25 | N/A | 4.3 MEDIUM |
|
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the recaptcha_api_key_manage function in all versions up to, and including, 2.0.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, modify, or delete the 'Recaptcha Site Key' and 'Recaptcha Secret Key' settings.
|
|||||
| CVE-2024-9223 | 2024-11-23 | N/A | 4.3 MEDIUM | ||
|
The WPDash Notes plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_ajax_post_it_list_comment' function in all versions up to, and including, 1.3.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view comments on any post, including private and password protected posts, and pending and draft posts if they were previously published. The vulnerability was partially patched in version 1.3.5.
|
|||||