Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2023-48286 — Authorization: Missing Authorization vulnerability in mra13 Stripe Payments stripe-payments allows Exploiting Incorrectly Configured Access Control
Missing Authorization vulnerability in mra13 Stripe Payments stripe-payments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stripe Payments: from n/a through <= 2.0.79. CVSSv3.1 8.2 (HIGH) · EPSS 40th percentile
CVE-2023-47805 — Themewinter Wpcafe: Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security
Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 2.2.22. CVSSv3.1 9.8 (CRITICAL)
CVE-2023-47760 — Wpdeveloper Essential_blocks: Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg essential-blocks allows Exploiting Incorrectly Configured
Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg essential-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Gutenberg: from n/a through <= 4.2.0. CVSSv3.1 8.8 (HIGH)
CVE-2023-47698 — Authorization: Missing Authorization vulnerability in shohei.tanaka Japanized For WooCommerce woocommerce-for-japan allows Exploiting Incorrectly Configured Access
Missing Authorization vulnerability in shohei.tanaka Japanized For WooCommerce woocommerce-for-japan allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Japanized For WooCommerce: from n/a through <= 2.6.4. CVSSv3.1 8.6 (HIGH) · EPSS 47th percentile
CVE-2023-32117 — Authorization: Missing Authorization vulnerability in princeahmed Integrate Google Drive integrate-google-drive allows Exploiting Incorrectly Configured Access
Missing Authorization vulnerability in princeahmed Integrate Google Drive integrate-google-drive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integrate Google Drive: from n/a through <= 1.1.99. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-54214 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in roninwp Revy revy allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in roninwp Revy revy allows Upload a Web Shell to a Web Server.This issue affects Revy: from n/a through <= 1.18. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-53815 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in DOTonPAPER Pinpoint Booking System booking-system allows Blind SQL Injection.This issue affects Pinpoint Booking System: from n/a through <= 2.9.9.5.1. CVSSv3.1 8.5 (HIGH)
CVE-2024-53810 — Authorization: Missing Authorization vulnerability in N-Media Simple User Registration wp-registration allows Accessing Functionality Not Properly
Missing Authorization vulnerability in N-Media Simple User Registration wp-registration allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Simple User Registration: from n/a through <= 5.5. CVSSv3.1 9.1 (CRITICAL)
CVE-2024-53808 — Basixonline Nex-forms: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows SQL Injection.This issue affects NEX-Forms: from n/a through <= 8.7.8. CVSSv3.1 8.5 (HIGH)
CVE-2024-53807 — Wpmailster Wp_mailster: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in brandtoss WP Mailster wp-mailster allows Blind SQL Injection.This issue affects WP Mailster: from n/a through <= 1.8.16.0. CVSSv3.1 8.5 (HIGH)
CVE-2024-51815 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member
Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member allows Code Injection.This issue affects s2Member: from n/a through <= 241114. CVSSv3.1 9.0 (CRITICAL)
CVE-2024-51615 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Marka WordPress Auction Plugin wp-auctions allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through <= 3.7. CVSSv3.1 9.3 (CRITICAL)
CVE-2024-12155 — SV100: The SV100 Companion plugin for WordPress is vulnerable to unauthorized modification of data that
The SV100 Companion plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the settings_import() function in all versions up to, and including, 2.0.02. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gai CVSSv3.1 9.8 (CRITICAL)
CVE-2024-11178 — Login: The Login With OTP plugin for WordPress is vulnerable to authentication bypass in versions
The Login With OTP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.4.2. This is due to the plugin generating too weak OTP, and there’s no attempt or time limit. This makes it possible for unauthenticated attackers to generate and brute force the 6-digit numeric OTP that makes it possible to log in as any existing user on the site, such as an administrator, if they have access to the email. CVSSv3.1 8.1 (HIGH)
CVE-2024-54221 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in roninwp FAT Services Booking fat-services-booking.This issue affects FAT Services Booking: from n/a through <= 5.6. CVSSv3.1 9.3 (CRITICAL)
CVE-2024-10587 — Interactive: The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor
The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.7.5.1 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme CVSSv3.1 8.8 (HIGH)
CloudGoat Official Walkthrough Series: ‘sqs_flag_shop’
Rhino Security Labs published an official walkthrough of the 'sqs_flag_shop' CloudGoat scenario, a deliberately vulnerable AWS environment designed for penetration testing training. The walkthrough demonstrates AWS IAM enumeration, role assumption, SQS queue exploitation, and web application reconnaissance to escalate privileges and capture a flag.
Windows Sockets: From Registered I/O to SYSTEM Privileges
Exodus Intelligence published a detailed technical writeup of CVE-2024-38193, a use-after-free vulnerability in Windows afd.sys driver's Registered I/O (RIO) extension for Windows Sockets. The vulnerability stems from a race condition between AfdRioGetAndCacheBuffer() and AfdRioDereferenceBuffer() functions, allowing attackers to trigger UAF and achieve SYSTEM privilege escalation. The vulnerability was patched in August 2024 Patch Tuesday.
CVE-2024-53793 — Site: Cross-Site Request Forgery (CSRF) vulnerability in jerodmoore eDoc Easy Tables edoc-easy-tables allows Blind SQL
Cross-Site Request Forgery (CSRF) vulnerability in jerodmoore eDoc Easy Tables edoc-easy-tables allows Blind SQL Injection.This issue affects eDoc Easy Tables: from n/a through <= 1.29. CVSSv3.1 8.2 (HIGH)
CVE-2024-53792 — Kibokolabs Watu_quiz: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bob Watu Quiz watu allows SQL Injection.This issue affects Watu Quiz: from n/a through <= 3.4.1.2. CVSSv3.1 8.5 (HIGH)
CVE-2024-52476 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Stefan Bohacek Fediverse Embeds fediverse-embeds
Unrestricted Upload of File with Dangerous Type vulnerability in Stefan Bohacek Fediverse Embeds fediverse-embeds allows Upload a Web Shell to a Web Server.This issue affects Fediverse Embeds: from n/a through <= 1.5.3. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-53739 — Coolplugins Cryptocurrency_widgets_for_elementor: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Cool Plugins Cryptocurrency Widgets For Elementor cryptocurrency-widgets-for-elementor allows PHP Local File Inclusion.This issue affects Cryptocurrency Widgets For Elementor: from n/a through <= 1.6.4. CVSSv3.1 8.1 (HIGH)
CVE-2024-52495 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Distance Based Shipping Calculator distance-based-shipping-calculator allows SQL Injection.This issue affects Distance Based Shipping Calculator: from n/a through <= 2.0.23. CVSSv3.1 8.5 (HIGH)
CVE-2024-52490 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in pathomation Pathomation pathomation allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in pathomation Pathomation pathomation allows Upload a Web Shell to a Web Server.This issue affects Pathomation: from n/a through <= 2.5.1. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-52475 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in Information Technology Wawp automation-web-platform
Authentication Bypass Using an Alternate Path or Channel vulnerability in Information Technology Wawp automation-web-platform allows Authentication Bypass.This issue affects Wawp: from n/a through < 3.0.18. CVSSv3.1 9.8 (CRITICAL)