Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6698 | 1 Wpmet | 1 Fundengine | 2024-11-23 | N/A | 8.8 HIGH |
|
The FundEngine plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying user meta updated through the update_user_meta function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta which can be leveraged to update their capabilities to gain administrator access.
|
|||||
| CVE-2024-0138 | 2024-11-23 | N/A | 9.8 CRITICAL | ||
|
NVIDIA Base Command Manager contains a missing authentication vulnerability in the CMDaemon component. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
|
|||||
| CVE-2024-0122 | 2024-11-23 | N/A | 7.6 HIGH | ||
|
NVIDIA Delegated Licensing Service for all appliance platforms contains a vulnerability where an attacker may cause an unauthorized action. A successful exploit of this vulnerability may lead to partial denial of service and confidential information disclosure.
|
|||||
| CVE-2024-11355 | 2024-11-22 | N/A | 4.3 MEDIUM | ||
|
The Ultimate YouTube Video & Shorts Player With Vimeo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_setting() function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view settings for playlists.
|
|||||
| CVE-2024-5331 | 1 Soflyy | 1 Breakdance | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Breakdance plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 1.7.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to export form submissions.
|
|||||
| CVE-2024-11154 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
|
The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.15 via the 'actAjaxRevisionDiffs' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including revisions of posts and pages.
|
|||||
| CVE-2024-10665 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
|
The Yaad Sarig Payment Gateway For WC plugin for WordPress is vulnerable to unauthorized modification & access of data due to a missing capability check on the yaadpay_view_log_callback() and yaadpay_delete_log_callback() functions in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete logs.
|
|||||
| CVE-2024-10532 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
|
The Bard Extra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bardxtra_import_xml() function in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to import demo data.
|
|||||
| CVE-2024-10528 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
|
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a missing capability check on the wp_ajax_um_resize_image() and ajax_resize_image() functions in all versions up to, and including, 2.8.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the profile pictures of other users.
|
|||||
| CVE-2024-6836 | 1 Funnelkit | 1 Funnel Builder | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple functions in all versions up to, and including, 3.4.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to update multiple settings, including templates, designs, checkouts, and other plugin setting ...
Show More |
|||||
| CVE-2024-6806 | 1 Ni | 1 Veristand | 2024-11-21 | N/A | 9.8 CRITICAL |
|
The NI VeriStand Gateway is missing authorization checks when an actor attempts to access Project resources. These missing checks may result in remote code execution. This affects NI VeriStand 2024 Q2 and prior versions.
|
|||||
| CVE-2024-6805 | 1 Ni | 1 Veristand | 2024-11-21 | N/A | 7.5 HIGH |
|
The NI VeriStand Gateway is missing authorization checks when an actor attempts to access File Transfer resources. These missing checks may result in information disclosure or remote code execution. This affects NI VeriStand 2024 Q2 and prior versions.
|
|||||
| CVE-2024-6799 | 1 Yithemes | 1 Yith Essential Kit For Woocommerce | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The YITH Essential Kit for WooCommerce #1 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_module', 'deactivate_module', and 'install_module' functions in all versions up to, and including, 2.34.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install, activate, and deactivate plugins from a pre-defined list of available YITH plugins.
|
|||||
| CVE-2024-6760 | 1 Freebsd | 1 Freebsd | 2024-11-21 | N/A | 7.5 HIGH |
|
A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs.
The bug may be used by an unprivileged user to read the contents of files to which they would not otherwise have access, such as the local password database.
|
|||||
| CVE-2024-6755 | 1 Wpwebinfotech | 1 Social Auto Poster | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The Social Auto Poster plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the ‘wpw_auto_poster_quick_delete_multiple’ function in all versions up to, and including, 5.3.14. This makes it possible for unauthenticated attackers to delete arbitrary posts.
|
|||||
| CVE-2024-6754 | 1 Wpwebinfotech | 1 Social Auto Poster | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The Social Auto Poster plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the ‘wpw_auto_poster_update_tweet_template’ function in all versions up to, and including, 5.3.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary post metadata.
|
|||||
| CVE-2024-6750 | 1 Wpwebinfotech | 1 Social Auto Poster | 2024-11-21 | N/A | 7.3 HIGH |
|
The Social Auto Poster plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.3.14. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options.
|
|||||
| CVE-2024-6660 | 1 Reputeinfosystems | 1 Bookingpress | 2024-11-21 | N/A | 8.8 HIGH |
|
The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bookingpress_import_data_continue_process_func function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site and upload arbitrary f ...
Show More |
|||||
| CVE-2024-6591 | 2024-11-21 | N/A | 5.8 MEDIUM | ||
|
The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized email creation and sending due to a missing capability check on the 'send_auction_email_callback' and 'resend_auction_email_callback' functions in all versions up to, and including, 4.2.6. This makes it possible for unauthenticated attackers to craft emails that include links and send to any email address.
|
|||||
| CVE-2024-6392 | 1 Sirv | 1 Sirv | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized plugin settings modification due to missing capability checks on the plugin functions in all versions up to, and including, 7.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the connected Sirv account to an attacker-controlled one.
|
|||||
| CVE-2024-6375 | 1 Mongodb | 1 Mongodb | 2024-11-21 | N/A | 5.4 MEDIUM |
|
A command for refining a collection shard key is missing an authorization check. This may cause the command to run directly on a shard, leading to either degradation of query performance, or to revealing chunk boundaries through timing side channels. This affects MongoDB Server v5.0 versions, prior to 5.0.22, MongoDB Server v6.0 versions, prior to 6.0.11 and MongoDB Server v7.0 versions prior to 7.0.3.
|
|||||
| CVE-2024-6303 | 1 Conduit | 1 Conduit | 2024-11-21 | N/A | 9.9 CRITICAL |
|
Missing authorization in Client-Server API in Conduit <=0.7.0, allowing for any alias to be removed and added to another room, which can be used for privilege escalation by moving the #admins alias to a room which they control, allowing them to run commands resetting passwords, siging json with the server's key, deactivating users, and more
|
|||||
| CVE-2024-6120 | 1 Wpneuron | 1 Sparkle Demo Importer | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins.
|
|||||
| CVE-2024-6088 | 1 Thimpress | 1 Learnpress | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user registration to create a new account with the default role.
|
|||||
| CVE-2024-6071 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
|
PTC Creo Elements/Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server.
|
|||||
| CVE-2024-6033 | 1 Themewinter | 1 Eventin | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the 'import_file' function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data.
|
|||||
| CVE-2024-6012 | 1 Stylemixthemes | 1 Cost Calculator Builder | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-pages' functions in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary posts and append arbitrary content to existing posts.
|
|||||
| CVE-2024-5997 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
|
The Duplica – Duplicate Posts, Pages, Custom Posts or Users plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the duplicate_user and duplicate_post functions in all versions up to, and including, 0.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create duplicates of users and posts/pages.
|
|||||
| CVE-2024-5861 | 1 Wpeasypay | 1 Wp Easypay | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The WP EasyPay – Square for WordPress plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the wpep_square_disconnect() function in all versions up to, and including, 4.2.3. This makes it possible for unauthenticated attackers to disconnect square.
|
|||||
| CVE-2024-5770 | 1 Webfactoryltd | 1 Wp Force Ssl | 2024-11-21 | N/A | 4.2 MEDIUM |
|
The WP Force SSL & HTTPS SSL Redirect plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_setting' function in versions up to, and including, 1.66. This makes it possible for authenticated attackers, subscriber-level permissions and above, to update the plugin settings.
|
|||||
| CVE-2024-5703 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized API access due to a missing capability check in all versions up to, and including, 5.7.26. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access the API (provided it is enabled) and add, edit, and delete audience users.
|
|||||
| CVE-2024-5665 | 1 Xootix | 1 Login\/signup Popup | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘export_settings’ function in versions 2.7.1 to 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary options on affected sites.
|
|||||
| CVE-2024-5654 | 1 Gsheetconnector | 1 Cf7 Google Sheets Connector | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The CF7 Google Sheets Connector plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'execute_post_data_cg7_free' function in all versions up to, and including, 5.0.9. This makes it possible for unauthenticated attackers to toggle site configuration settings, including WP_DEBUG, WP_DEBUG_LOG, SCRIPT_DEBUG, and SAVEQUERIES.
|
|||||
| CVE-2024-5607 | 1 Ninjateam | 1 Gdpr Ccpa Compliance \& Cookie Consent Banner | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The GDPR CCPA Compliance & Cookie Consent Banner plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions named ajaxUpdateSettings() in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings, update page content, send arbitrary emails and inject malicious web scripts.
|
|||||
| CVE-2024-5545 | 1 Stylemixthemes | 1 Motors - Car Dealer\, Classifieds \& Listing | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the stm_edit_delete_user_car function in all versions up to, and including, 1.4.8. This makes it possible for unauthenticated attackers to unpublish arbitrary posts and pages.
|
|||||
| CVE-2024-5489 | 1 Wbcomdesigns | 1 Custom Font Uploader | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Wbcom Designs – Custom Font Uploader plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cfu_delete_customfont' function in all versions up to, and including, 2.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete any custom font.
|
|||||
| CVE-2024-5459 | 1 Fivestarplugins | 1 Five Star Restaurant Menu | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Restaurant Menu and Food Ordering plugin for WordPress is vulnerable to unauthorized creation of data due to a missing capability check on 'add_section', 'add_menu', 'add_menu_item', and 'add_menu_page' functions in all versions up to, and including, 2.4.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create menu sections, menus, food items, and new menu pages.
|
|||||
| CVE-2024-5453 | 1 Metagauss | 1 Profilegrid | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_dismissible_notice and pm_wizard_update_group_icon functions in all versions up to, and including, 5.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options to the value '1' or change group icons.
|
|||||
| CVE-2024-5382 | 1 Master-addons | 1 Master Addons | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ma-template' REST API route in all versions up to, and including, 2.0.6.1. This makes it possible for unauthenticated attackers to create or modify existing Master Addons templates or make settings modifications related to these templates.
|
|||||
| CVE-2024-5248 | 1 Lunary | 1 Lunary | 2024-11-21 | N/A | 6.5 MEDIUM |
|
In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing capabilities, explicitly excluding access to user information. However, the endpoint fails to enforce this restriction, allowing users with the `Prompt Editor` role to access the full list of users in the organization. This vuln ...
Show More |
|||||