Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-1798 | 1 Themeum | 1 Tutor Lms - Migration Tool | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the tutor_lp_export_xml function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to export courses, including private and password protected courses.
|
|||||
| CVE-2024-1689 | 1 Themefarmer | 1 Woocommerce Tools | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The WooCommerce Tools plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woocommerce_tool_toggle_module() function in all versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to deactivate arbitrary plugin modules.
|
|||||
| CVE-2024-1634 | 1 Startbooking | 1 Scheduling Plugin - Online Booking | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The Scheduling Plugin – Online Booking for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cbsb_disconnect_settings' function in all versions up to, and including, 3.5.10. This makes it possible for unauthenticated attackers to disconnect the plugin from the startbooking service and remove connection data.
|
|||||
| CVE-2024-1438 | 2024-11-21 | N/A | 7.7 HIGH | ||
|
Missing Authorization vulnerability in PressFore Rolo Slider.This issue affects Rolo Slider: from n/a through 1.0.9.
|
|||||
| CVE-2024-1350 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
|
Missing Authorization vulnerability in Prasidhda Malla Honeypot for WP Comment.This issue affects Honeypot for WP Comment: from n/a through 2.2.3.
|
|||||
| CVE-2024-1177 | 1 Wpclubmanager | 1 Wp Club Manager | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The WP Club Manager – WordPress Sports Club Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the settings_save() function in all versions up to, and including, 2.2.10. This makes it possible for unauthenticated attackers to update the permalink structure for the clubs
|
|||||
| CVE-2024-1175 | 1 Plechevandrey | 1 Wp-recall | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_payment' function in all versions up to, and including, 16.26.6. This makes it possible for unauthenticated attackers to delete arbitrary payments.
|
|||||
| CVE-2024-1137 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
|
The Proxy and Client components of TIBCO Software Inc.'s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Enterprise Edition: versions 4.4.0 through 4.9.0.
|
|||||
| CVE-2024-1122 | 1 Themewinter | 1 Eventin | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_data() function in all versions up to, and including, 3.3.50. This makes it possible for unauthenticated attackers to export event data.
|
|||||
| CVE-2024-1121 | 1 Hookturn | 1 Advanced Forms For Acf | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Advanced Forms for ACF plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_json_file() function in all versions up to, and including, 1.9.3.2. This makes it possible for unauthenticated attackers to export form settings.
|
|||||
| CVE-2024-1109 | 1 Podlove | 1 Podlove Podcast Publisher | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the init_download() and init() functions in all versions up to, and including, 4.0.11. This makes it possible for unauthenticated attackers to export the plugin's tracking data and podcast information.
|
|||||
| CVE-2024-1092 | 1 Themeisle | 1 Rss Aggregator By Feedzy | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the feedzy dashboard in all versions up to, and including, 4.4.1. This makes it possible for authenticated attackers, with contributor access or higher, to create, edit or delete feed categories created by them.
|
|||||
| CVE-2024-1079 | 1 Ays-pro | 1 Quiz Maker | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Quiz Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_show_results() function in all versions up to, and including, 6.5.2.4. This makes it possible for unauthenticated attackers to fetch arbitrary quiz results which can contain PII.
|
|||||
| CVE-2024-1078 | 1 Ays-pro | 1 Quiz Maker | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ays_quick_start() and add_question_rows() functions in all versions up to, and including, 6.5.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary quizzes.
|
|||||
| CVE-2024-1072 | 1 Seedprod | 1 Website Builder By Seedprod | 2024-11-21 | N/A | 8.2 HIGH |
|
The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the seedprod_lite_new_lpage function in all versions up to, and including, 6.15.21. This makes it possible for unauthenticated attackers to change the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin. Version 6.15.22 addresses this issue but intro ...
Show More |
|||||
| CVE-2024-1047 | 1 Themeisle | 1 Orbit Fox | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in all versions up to, and including, 2.10.28. This makes it possible for unauthenticated attackers to update the connected API keys.
|
|||||
| CVE-2024-0972 | 1 Membersonly | 1 Buddypress Members Only | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The BuddyPress Members Only plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.5 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "All Other Sections On Your Site Will be Opened to Guest" feature (when unset) and view restricted page and post content.
|
|||||
| CVE-2024-0836 | 1 Radiustheme | 1 Review Schema | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The WordPress Review & Structure Data Schema Plugin – Review Schema plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtrs_review_edit() function in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify arbitrary reviews.
|
|||||
| CVE-2024-0835 | 1 Royal-elementor-addons | 1 Royal Elementor Kit | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Royal Elementor Kit theme for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the dismissed_handler function in all versions up to, and including, 1.0.116. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to true and not arbitrary values.
|
|||||
| CVE-2024-0791 | 1 Pluginus | 1 Wolf - Wordpress Posts Bulk Editor And Products Manager Professional | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to unauthorized access, modification or loss of data due to a missing capability check on the wpbe_create_new_term, wpbe_update_tax_term, and wpbe_delete_tax_term functions in all versions up to, and including, 1.0.8.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create, delete or modify taxonomy terms.
|
|||||
| CVE-2024-0619 | 1 Payflex | 1 Payment Gateway | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Payflex Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the payment_callback() function in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to update the status of orders, which can potentially lead to revenue loss.
|
|||||
| CVE-2024-0617 | 1 Quanticedgesolutions | 1 Category Discount Woocommerce | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Category Discount Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpcd_save_discount() function in all versions up to, and including, 4.12. This makes it possible for unauthenticated attackers to modify product category discounts that could lead to loss of revenue.
|
|||||
| CVE-2024-0596 | 1 Getawesomesupport | 1 Awesome Support | 2024-11-21 | N/A | 5.3 MEDIUM |
|
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the editor_html() function in all versions up to, and including, 6.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to view password protected and draft posts.
|
|||||
| CVE-2024-0595 | 1 Getawesomesupport | 1 Awesome Support | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpas_get_users() function hooked via AJAX in all versions up to, and including, 6.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve user data such as emails.
|
|||||
| CVE-2024-0570 | 1 Totolink | 2 N350rt, N350rt Firmware | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
|
A vulnerability classified as critical was found in Totolink N350RT 9.3.5u.6265. This vulnerability affects unknown code of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. It is recommended to upgrade the affected component. VDB-250786 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2024-0569 | 1 Totolink | 2 T8, T8 Firmware | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic has been found in Totolink T8 4.1.5cu.833_20220905. This affects the function getSysStatusCfg of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument ssid/key leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.5cu.862_B20230228 is able to address this issue. It is recommended to upgrade the affec ...
Show More |
|||||
| CVE-2024-0394 | 2024-11-21 | N/A | 7.8 HIGH | ||
|
Rapid7 Minerva Armor versions below 4.5.5 suffer from a privilege escalation vulnerability whereby an authenticated attacker can elevate privileges and execute arbitrary code with SYSTEM privilege. The vulnerability is caused by the product's implementation of OpenSSL's`OPENSSLDIR` parameter where it is set to a path accessible to low-privileged users. The vulnerability has been remediated and fixed in version 4.5.5.
|
|||||
| CVE-2024-0372 | 1 Formviewswp | 1 Views For Wpforms | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_form_fields' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to create form views.
|
|||||
| CVE-2024-0371 | 1 Formviewswp | 1 Views For Wpforms | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'create_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to create form views.
|
|||||
| CVE-2024-0370 | 1 Formviewswp | 1 Views For Wpforms | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts.
|
|||||
| CVE-2024-0201 | 1 Webcodingplace | 1 Product Expiry For Woocommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_settings' function in versions up to, and including, 2.5. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings.
|
|||||
| CVE-2023-7068 | 1 Webtoffee | 1 Woocommerce Pdf Invoices\, Packing Slips\, Delivery Notes And Shipping Labels | 2024-11-21 | N/A | 4.3 MEDIUM |
|
The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on theprint_packinglist action in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to export orders which can contain sensitive information.
|
|||||
| CVE-2023-6985 | 1 10web | 1 Ai Assistant | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The 10Web AI Assistant – AI content writing assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the install_plugin AJAX action in all versions up to, and including, 1.0.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins that can be used to gain further access to a compromised site.
|
|||||
| CVE-2023-6966 | 1 Themoneytizer | 1 The Moneytizer | 2024-11-21 | N/A | 8.1 HIGH |
|
The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.5.20. This makes it possible for authenticated attackers, with subscriber access and above, to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions.
|
|||||
| CVE-2023-6876 | 1 Nayrathemes | 1 Clever Fox | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The Clever Fox – One Click Website Importer by Nayra Themes plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clever-fox-activate-theme' function in all versions up to, and including, 25.2.0. This makes it possible for authenticated attackers, with subscriber access and above, to modify the active theme, including to an invalid value which can take down the site.
|
|||||
| CVE-2023-6840 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 6.7 MEDIUM |
|
An issue has been discovered in GitLab EE affecting all versions from 16.4 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows a maintainer to change the name of a protected branch that bypasses the security policy added to block MR.
|
|||||
| CVE-2023-6798 | 1 Themeisle | 1 Rss Aggregator By Feedzy | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check when updating settings in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with author-level access or above to change the plugin's settings including proxy settings, which are also exposed to authors.
|
|||||
| CVE-2023-6751 | 1 Hostinger | 1 Hostinger | 2024-11-21 | N/A | 7.3 HIGH |
|
The Hostinger plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the function publish_website in all versions up to, and including, 1.9.7. This makes it possible for unauthenticated attackers to enable and disable maintenance mode.
|
|||||
| CVE-2023-6733 | 1 Butlerblog | 1 Wp-members | 2024-11-21 | N/A | 6.5 MEDIUM |
|
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.8 via the wpmem_field shortcode. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including user emails, password hashes, usernames, and more.
|
|||||
| CVE-2023-6700 | 1 Cookieinformation | 1 Wp-gdpr-compliance | 2024-11-21 | N/A | 8.8 HIGH |
|
The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts.
|
|||||