2024-12-09
2024-12-09 13:15Z
HIGH

CVE-2023-48286 — Authorization: Missing Authorization vulnerability in mra13 Stripe Payments stripe-payments allows Exploiting Incorrectly Configured Access Control

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-48286

Missing Authorization vulnerability in mra13 Stripe Payments stripe-payments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stripe Payments: from n/a through <= 2.0.79. CVSSv3.1 8.2 (HIGH) · EPSS 40th percentile

CWECWE 862TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2024-12-09
2024-12-09 13:15Z
CRIT

CVE-2023-47805 — Themewinter Wpcafe: Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-47805

Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 2.2.22. CVSSv3.1 9.8 (CRITICAL)

CWECWE 862VNDThemewinterTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-12-09
2024-12-09 13:15Z
HIGH

CVE-2023-47760 — Wpdeveloper Essential_blocks: Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg essential-blocks allows Exploiting Incorrectly Configured

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-47760

Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg essential-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Gutenberg: from n/a through <= 4.2.0. CVSSv3.1 8.8 (HIGH)

CWECWE 862VNDWpdeveloperTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-12-09
2024-12-09 13:15Z
HIGH

CVE-2023-47698 — Authorization: Missing Authorization vulnerability in shohei.tanaka Japanized For WooCommerce woocommerce-for-japan allows Exploiting Incorrectly Configured Access

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-47698

Missing Authorization vulnerability in shohei.tanaka Japanized For WooCommerce woocommerce-for-japan allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Japanized For WooCommerce: from n/a through <= 2.6.4. CVSSv3.1 8.6 (HIGH) · EPSS 47th percentile

CWECWE 862TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2024-12-09
2024-12-09 13:15Z
CRIT

CVE-2023-32117 — Authorization: Missing Authorization vulnerability in princeahmed Integrate Google Drive integrate-google-drive allows Exploiting Incorrectly Configured Access

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-32117

Missing Authorization vulnerability in princeahmed Integrate Google Drive integrate-google-drive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integrate Google Drive: from n/a through <= 1.1.99. CVSSv3.1 9.8 (CRITICAL)

CWECWE 862TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-12-06
2024-12-06 14:15Z
CRIT

CVE-2024-54214 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in roninwp Revy revy allows Upload

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-54214

Unrestricted Upload of File with Dangerous Type vulnerability in roninwp Revy revy allows Upload a Web Shell to a Web Server.This issue affects Revy: from n/a through <= 1.18. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2024-12-06
2024-12-06 14:15Z
HIGH

CVE-2024-53815 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-53815

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in DOTonPAPER Pinpoint Booking System booking-system allows Blind SQL Injection.This issue affects Pinpoint Booking System: from n/a through <= 2.9.9.5.1. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
728 × 90 / responsive · programmatic ad slot
2024-12-06
2024-12-06 14:15Z
CRIT

CVE-2024-53810 — Authorization: Missing Authorization vulnerability in N-Media Simple User Registration wp-registration allows Accessing Functionality Not Properly

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-53810

Missing Authorization vulnerability in N-Media Simple User Registration wp-registration allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Simple User Registration: from n/a through <= 5.5. CVSSv3.1 9.1 (CRITICAL)

CWECWE 862TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2024-12-06
2024-12-06 14:15Z
HIGH

CVE-2024-53808 — Basixonline Nex-forms: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-53808

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows SQL Injection.This issue affects NEX-Forms: from n/a through <= 8.7.8. CVSSv3.1 8.5 (HIGH)

CWECWE 89VNDBasixonlineTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-12-06
2024-12-06 14:15Z
HIGH

CVE-2024-53807 — Wpmailster Wp_mailster: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-53807

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in brandtoss WP Mailster wp-mailster allows Blind SQL Injection.This issue affects WP Mailster: from n/a through <= 1.8.16.0. CVSSv3.1 8.5 (HIGH)

CWECWE 89VNDWpmailsterTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-12-06
2024-12-06 14:15Z
CRIT

CVE-2024-51815 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-51815

Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member allows Code Injection.This issue affects s2Member: from n/a through <= 241114. CVSSv3.1 9.0 (CRITICAL)

CWECWE 94TYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2024-12-06
2024-12-06 14:15Z
CRIT

CVE-2024-51615 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-51615

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Marka WordPress Auction Plugin wp-auctions allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through <= 3.7. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2024-12-06
2024-12-06 09:15Z
CRIT

CVE-2024-12155 — SV100: The SV100 Companion plugin for WordPress is vulnerable to unauthorized modification of data that

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-12155

The SV100 Companion plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the settings_import() function in all versions up to, and including, 2.0.02. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gai CVSSv3.1 9.8 (CRITICAL)

CWECWE 862VNDSv100TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-12-06
2024-12-06 07:15Z
HIGH

CVE-2024-11178 — Login: The Login With OTP plugin for WordPress is vulnerable to authentication bypass in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-11178

The Login With OTP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.4.2. This is due to the plugin generating too weak OTP, and there’s no attempt or time limit. This makes it possible for unauthenticated attackers to generate and brute force the 6-digit numeric OTP that makes it possible to log in as any existing user on the site, such as an administrator, if they have access to the email. CVSSv3.1 8.1 (HIGH)

CWECWE 288VNDLoginTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-12-05
2024-12-05 00:15Z
CRIT

CVE-2024-54221 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-54221

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in roninwp FAT Services Booking fat-services-booking.This issue affects FAT Services Booking: from n/a through <= 5.6. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2024-12-04
2024-12-04 03:15Z
HIGH

CVE-2024-10587 — Interactive: The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-10587

The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.7.5.1 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme CVSSv3.1 8.8 (HIGH)

CWECWE 502VNDInteractiveTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-12-03
2024-12-03 14:05Z
INFO

CloudGoat Official Walkthrough Series: ‘sqs_flag_shop’

Rhino Security Labs·rhinosecuritylabs.com

Rhino Security Labs published an official walkthrough of the 'sqs_flag_shop' CloudGoat scenario, a deliberately vulnerable AWS environment designed for penetration testing training. The walkthrough demonstrates AWS IAM enumeration, role assumption, SQS queue exploitation, and web application reconnaissance to escalate privileges and capture a flag.

TACTA0004TACTA0007SRFCloudVNDAmazon Web ServicesTYPToolTYPWriteupSTGPrivescSTGInitial Access
62
Edit Score
2024-12-02
2024-12-02 16:49Z
HIGH

Windows Sockets: From Registered I/O to SYSTEM Privileges

Exodus Intel·blog.exodusintel.comCVE-2024-38193

Exodus Intelligence published a detailed technical writeup of CVE-2024-38193, a use-after-free vulnerability in Windows afd.sys driver's Registered I/O (RIO) extension for Windows Sockets. The vulnerability stems from a race condition between AfdRioGetAndCacheBuffer() and AfdRioDereferenceBuffer() functions, allowing attackers to trigger UAF and achieve SYSTEM privilege escalation. The vulnerability was patched in August 2024 Patch Tuesday.

SRFOsTACTA0004VNDMicrosoftTYPResearchTYPWriteupTYPExploitSTGPrivescTECT1548
78
Edit Score
2024-12-02
2024-12-02 14:15Z
HIGH

CVE-2024-53793 — Site: Cross-Site Request Forgery (CSRF) vulnerability in jerodmoore eDoc Easy Tables edoc-easy-tables allows Blind SQL

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-53793

Cross-Site Request Forgery (CSRF) vulnerability in jerodmoore eDoc Easy Tables edoc-easy-tables allows Blind SQL Injection.This issue affects eDoc Easy Tables: from n/a through <= 1.29. CVSSv3.1 8.2 (HIGH)

CWECWE 352TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2024-12-02
2024-12-02 14:15Z
HIGH

CVE-2024-53792 — Kibokolabs Watu_quiz: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-53792

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bob Watu Quiz watu allows SQL Injection.This issue affects Watu Quiz: from n/a through <= 3.4.1.2. CVSSv3.1 8.5 (HIGH)

CWECWE 89VNDKibokolabsTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-12-02
2024-12-02 14:15Z
CRIT

CVE-2024-52476 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Stefan Bohacek Fediverse Embeds fediverse-embeds

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52476

Unrestricted Upload of File with Dangerous Type vulnerability in Stefan Bohacek Fediverse Embeds fediverse-embeds allows Upload a Web Shell to a Web Server.This issue affects Fediverse Embeds: from n/a through <= 1.5.3. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2024-11-30
2024-11-30 21:15Z
HIGH

CVE-2024-53739 — Coolplugins Cryptocurrency_widgets_for_elementor: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-53739

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Cool Plugins Cryptocurrency Widgets For Elementor cryptocurrency-widgets-for-elementor allows PHP Local File Inclusion.This issue affects Cryptocurrency Widgets For Elementor: from n/a through <= 1.6.4. CVSSv3.1 8.1 (HIGH)

CWECWE 98CWECWE 706VNDCoolpluginsTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-11-28
2024-11-28 11:15Z
HIGH

CVE-2024-52495 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52495

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Distance Based Shipping Calculator distance-based-shipping-calculator allows SQL Injection.This issue affects Distance Based Shipping Calculator: from n/a through <= 2.0.23. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-11-28
2024-11-28 11:15Z
CRIT

CVE-2024-52490 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in pathomation Pathomation pathomation allows Upload

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52490

Unrestricted Upload of File with Dangerous Type vulnerability in pathomation Pathomation pathomation allows Upload a Web Shell to a Web Server.This issue affects Pathomation: from n/a through <= 2.5.1. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2024-11-28
2024-11-28 11:15Z
CRIT

CVE-2024-52475 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in Information Technology Wawp automation-web-platform

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52475

Authentication Bypass Using an Alternate Path or Channel vulnerability in Information Technology Wawp automation-web-platform allows Authentication Bypass.This issue affects Wawp: from n/a through < 3.0.18. CVSSv3.1 9.8 (CRITICAL)

CWECWE 288TYPVulnerability
9.8
CVSS v3.1
99
Edit Score