Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2023-33996 — Authorization: Missing Authorization vulnerability in CleanTalk Inc Spam protection, AntiSpam, FireWall by CleanTalk cleantalk-spam-protect allows
Missing Authorization vulnerability in CleanTalk Inc Spam protection, AntiSpam, FireWall by CleanTalk cleantalk-spam-protect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spam protection, AntiSpam, FireWall by CleanTalk: from n/a through <= 6.10. CVSSv3.1 8.8 (HIGH)
CVE-2022-46838 — Joomsky Js_help_desk: Missing Authorization vulnerability in JoomSky JS Help Desk js-support-ticket allows Exploiting Incorrectly Configured Access
Missing Authorization vulnerability in JoomSky JS Help Desk js-support-ticket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk: from n/a through <= 2.7.1. CVSSv3.1 9.1 (CRITICAL)
CVE-2024-10783 — MainWP: The MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites
The MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites plugin for WordPress is vulnerable to privilege escalation due to a missing authorization checks on the register_site function in all versions up to, and including, 5.2 when a site is left in an unconfigured state. This makes it possible for unauthenticated attackers to log in as an administrator on instances where MainWP Child is not yet connected to the MainWP Dashboard. IMPORTANT: this on CVSSv3.1 8.1 (HIGH)
CVE-2024-21544 — Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due
Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due to improper URL validation in the setUrl method. An attacker can exploit this vulnerability by using leading whitespace (%20) before the file:// protocol, resulting in Local File Inclusion, which allows the attacker to read sensitive files on the server. CVSSv3.1 8.6 (HIGH) · EPSS 37th percentile
CVE-2024-55875 — Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability
http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class CVSSv3.1 9.8 (CRITICAL) · EPSS 92th percentile
CVE-2024-10111 — OAuth: The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service ret CVSSv3.1 8.1 (HIGH)
CVE-2024-53480 — Phpgurukul Beauty_parlour_management_system: Phpgurukul's Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in `login.php` via
Phpgurukul's Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in `login.php` via the `emailcont` parameter. CVSSv3.1 9.8 (CRITICAL) · EPSS 45th percentile
CVE-2024-46442 — BYD: An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to
An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack. CVSSv3.1 9.8 (CRITICAL) · EPSS 45th percentile
CVE-2024-53866 — Pnpm Pnpm: The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global
The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (including on first lockfile generation). This can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B. Users generally expect `ignore-scrip CVSSv3.1 9.8 (CRITICAL) · EPSS 57th percentile
CVE-2024-21542 — Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via
Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function. CVSSv3.1 8.6 (HIGH) · EPSS 94th percentile
CVE-2024-40583 — Pentaminds Curovms: v2.0.1 was discovered to contain exposed credentials.
Pentaminds CuroVMS v2.0.1 was discovered to contain exposed credentials. CVSSv3.1 9.1 (CRITICAL) · EPSS 46th percentile
CVE-2024-8259 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eryaz Information Technologies NatraCar B2B Dealer Management Program allows SQL Injection. This issue affects NatraCar B2B Dealer Management Program: through 09.12.2024. NOTE: The vendor was contacted and it was learned that the product is not supported. CVSSv3.1 9.8 (CRITICAL) · EPSS 34th percentile
CVE-2024-54215 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in roninwp Revy revy.This issue affects Revy: from n/a through <= 1.18. CVSSv3.1 9.3 (CRITICAL)
CVE-2024-53822 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Genetech Pie Register Premium pie-register-premium.This
Unrestricted Upload of File with Dangerous Type vulnerability in Genetech Pie Register Premium pie-register-premium.This issue affects Pie Register Premium: from n/a through < 3.8.3.3. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-43222 — Authorization: Missing Authorization vulnerability in SeventhQueen Sweet Date sweetdate allows Privilege Escalation.This issue affects Sweet
Missing Authorization vulnerability in SeventhQueen Sweet Date sweetdate allows Privilege Escalation.This issue affects Sweet Date: from n/a through <= 3.7.3. CVSSv3.1 9.8 (CRITICAL)
CVE-2023-51360 — Wpdeveloper Essential_blocks: Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg essential-blocks allows Exploiting Incorrectly Configured
Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg essential-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Gutenberg: from n/a through <= 4.2.0. CVSSv3.1 8.8 (HIGH)
CVE-2023-51359 — Wpdeveloper Essential_blocks: Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg essential-blocks allows Exploiting Incorrectly Configured
Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg essential-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Gutenberg: from n/a through <= 4.2.0. CVSSv3.1 8.8 (HIGH)
CVE-2023-51355 — Authorization: Missing Authorization vulnerability in MultiVendorX MultiVendorX dc-woocommerce-multi-vendor allows Exploiting Incorrectly Configured Access Control Security
Missing Authorization vulnerability in MultiVendorX MultiVendorX dc-woocommerce-multi-vendor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MultiVendorX: from n/a through <= 4.0.23. CVSSv3.1 8.2 (HIGH) · EPSS 33th percentile
CVE-2023-51353 — Supsystic Popup: Missing Authorization vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Exploiting Incorrectly Configured Access
Missing Authorization vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through <= 1.10.19. CVSSv3.1 9.8 (CRITICAL)
CVE-2023-50903 — Wpmet Metform_elementor_contact_form_builder: Missing Authorization vulnerability in Roxnor Metform metform allows Exploiting Incorrectly Configured Access Control Security
Missing Authorization vulnerability in Roxnor Metform metform allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Metform: from n/a through <= 3.4.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2023-49856 — Rednao Smart_forms: Missing Authorization vulnerability in EDGARROJAS Smart Forms smart-forms allows Exploiting Incorrectly Configured Access Control
Missing Authorization vulnerability in EDGARROJAS Smart Forms smart-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Forms: from n/a through <= 2.6.84. CVSSv3.1 8.8 (HIGH)
CVE-2023-49817 — Authorization: Missing Authorization vulnerability in heolixfy Flexible Woocommerce Checkout Field Editor flexible-woocommerce-checkout-field-editor allows Exploiting Incorrectly
Missing Authorization vulnerability in heolixfy Flexible Woocommerce Checkout Field Editor flexible-woocommerce-checkout-field-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flexible Woocommerce Checkout Field Editor: from n/a through <= 2.0.1. CVSSv3.1 8.2 (HIGH)
CVE-2023-49756 — Themewinter Eventin: Missing Authorization vulnerability in Arraytics Eventin wp-event-solution allows Exploiting Incorrectly Configured Access Control Security
Missing Authorization vulnerability in Arraytics Eventin wp-event-solution allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventin: from n/a through <= 3.3.52. CVSSv3.1 8.8 (HIGH)
CVE-2023-48286 — Authorization: Missing Authorization vulnerability in mra13 Stripe Payments stripe-payments allows Exploiting Incorrectly Configured Access Control
Missing Authorization vulnerability in mra13 Stripe Payments stripe-payments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stripe Payments: from n/a through <= 2.0.79. CVSSv3.1 8.2 (HIGH) · EPSS 40th percentile
CVE-2023-47805 — Themewinter Wpcafe: Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security
Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 2.2.22. CVSSv3.1 9.8 (CRITICAL)