2024-07-24
2024-07-24 19:15Z
HIGH

CVE-2024-40495 — Linksys E2500_firmware: A vulnerability was discovered in Linksys Router E2500 with firmware 2.0.00, allows authenticated attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-40495

A vulnerability was discovered in Linksys Router E2500 with firmware 2.0.00, allows authenticated attackers to execute arbitrary code via the hnd_parentalctrl_unblock function. CVSSv3.1 8.0 (HIGH) · EPSS 54th percentile

CWECWE 94VNDLinksysTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2024-07-22
2024-07-22 11:15Z
HIGH

CVE-2024-38708 — Ukrsolution Barcode_scanner_and_inventory_manager: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-38708

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through <= 1.6.1. CVSSv3.1 8.5 (HIGH)

CWECWE 89VNDUkrsolutionTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-07-20
2024-07-20 09:15Z
HIGH

CVE-2024-6497 — Squirrly Seo_plugin_by_squirrly_seo: The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6497

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 12.3.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-43286 appears to be a duplicate of this issue. CVSSv3.1 8.8 (HIGH)

CWECWE 89CWECWE 79VNDSquirrlyVNDSeoTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-19
2024-07-19 05:15Z
HIGH

CVE-2024-21527 — Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/chromium before 8.1.0

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-21527

Versions of the package github.com/gotenberg/gotenberg/v8/pkg/gotenberg before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/chromium before 8.1.0; versions of the package github.com/gotenberg/gotenberg/v8/pkg/modules/webhook before 8.1.0 are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when a request is made to a file via localhost, such as <iframe src="\\localhost/etc/passwd">. By exploiting this vulnerabilit CVSSv3.1 8.2 (HIGH) · EPSS 43th percentile

CWECWE 918TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2024-07-18
2024-07-18 18:15Z
CRIT

CVE-2024-0857 — Uni-yaz Flexwater_corporate_water_management: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0857

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Universal Software Inc. FlexWater Corporate Water Management allows SQL Injection. This issue affects FlexWater Corporate Water Management: before 5.452.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 31th percentile

CWECWE 89VNDUni YazTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-07-18
2024-07-18 17:15Z
CRIT

CVE-2024-5619 — Authorization: Bypass Through User-Controlled Key vulnerability in PruvaSoft Informatics Apinizer Management Console allows Exploiting

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5619

Authorization Bypass Through User-Controlled Key vulnerability in PruvaSoft Informatics Apinizer Management Console allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Apinizer Management Console: before 2024.05.1. CVSSv3.1 9.6 (CRITICAL) · EPSS 8th percentile

CWECWE 639TYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2024-07-18
2024-07-18 17:15Z
CRIT

CVE-2024-5618 — Incorrect: Permission Assignment for Critical Resource vulnerability in PruvaSoft Informatics Apinizer Management Console allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5618

Incorrect Permission Assignment for Critical Resource vulnerability in PruvaSoft Informatics Apinizer Management Console allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Apinizer Management Console: before 2024.05.1. CVSSv3.1 9.9 (CRITICAL) · EPSS 32th percentile

CWECWE 732TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
728 × 90 / responsive · programmatic ad slot
2024-07-18
2024-07-18 09:15Z
HIGH

CVE-2024-3242 — Brizy Brizy: The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-3242

The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension validation in the validateImageContent function called via storeImages in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Version 2.4.44 prevents the upload of files ending in .sh CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDBrizyTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-18
2024-07-18 02:15Z
HIGH

CVE-2024-5726 — Timeline: The Timeline Event History plugin for WordPress is vulnerable to PHP Object Injection in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5726

The Timeline Event History plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1 via deserialization of untrusted input 'timelines-data' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the CVSSv3.1 8.8 (HIGH)

CWECWE 502VNDTimelineTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-17
2024-07-17 08:15Z
CRIT

CVE-2024-6220 — Keydatas Keydatas: The 简数采集器 (Keydatas) plugin for WordPress is vulnerable to arbitrary file uploads due to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6220

The 简数采集器 (Keydatas) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the keydatas_downloadImages function in all versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 9.8 (CRITICAL)

CWECWE 434VNDKeydatasTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-07-17
2024-07-17 07:15Z
HIGH

CVE-2024-6660 — Reputeinfosystems Bookingpress: The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6660

The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bookingpress_import_data_continue_process_func function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site an CVSSv3.1 8.8 (HIGH)

CWECWE 862CWECWE 280VNDReputeinfosystemsVNDBookingpressTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-17
2024-07-17 07:15Z
HIGH

CVE-2024-6467 — Reputeinfosystems Bookingpress: The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6467

The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to Arbitrary File Read to Arbitrary File Creation in all versions up to, and including, 1.1.5 via the 'bookingpress_save_lite_wizard_settings_func' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary files that contain the content of files (either on the local server or from a remote locati CVSSv3.1 8.8 (HIGH)

CWECWE 73VNDReputeinfosystemsVNDBookingpressTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-16
2024-07-16 23:15Z
HIGH

CVE-2024-21182 — Oracle Weblogic_server: Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-21182

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base S CVSSv3.1 7.5 (HIGH) · EPSS 99th percentile

VNDOracleVNDVulnerabilityTYPVulnerability
7.5
CVSS v3.1
100
Edit Score
2024-07-16
2024-07-16 11:15Z
CRIT

CVE-2024-6457 — Pluginus Husky_-_products_filter_professional_for_woocommerce: The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6457

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ‘woof_author’ parameter in all versions up to, and including, 1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive informa CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDPluginusVNDHuskyTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-07-12
2024-07-12 14:15Z
CRIT

CVE-2024-37927 — Incorrect: Privilege Assignment vulnerability in NooTheme Jobmonster noo-jobmonster allows Privilege Escalation.This issue affects Jobmonster

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-37927

Incorrect Privilege Assignment vulnerability in NooTheme Jobmonster noo-jobmonster allows Privilege Escalation.This issue affects Jobmonster: from n/a through <= 4.7.5. CVSSv3.1 9.8 (CRITICAL) · EPSS 39th percentile

CWECWE 266TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-07-12
2024-07-12 14:15Z
HIGH

CVE-2024-37560 — Incorrect: Privilege Assignment vulnerability in iqbalrony WP User Switch wp-user-switch allows Privilege Escalation.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-37560

Incorrect Privilege Assignment vulnerability in iqbalrony WP User Switch wp-user-switch allows Privilege Escalation.This issue affects WP User Switch: from n/a through <= 1.1.3. CVSSv3.1 8.0 (HIGH)

CWECWE 266TYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2024-07-12
2024-07-12 13:15Z
HIGH

CVE-2024-5325 — Wpvibes Form_vibes: The Form Vibes plugin for WordPress is vulnerable to SQL Injection via the ‘fv_export_data’

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5325

The Form Vibes plugin for WordPress is vulnerable to SQL Injection via the ‘fv_export_data’ parameter in all versions up to, and including, 1.4.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDWpvibesVNDFormTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-12
2024-07-12 11:15Z
CRIT

CVE-2024-6328 — Inspireui Mstore_api: The MStore API – Create Native Android & iOS Apps On The Cloud plugin

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6328

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient verification on the 'phone' parameter of the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email address or phone numbe CVSSv3.1 9.8 (CRITICAL)

CWECWE 862CWECWE 288VNDInspireuiVNDMstoreTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-07-12
2024-07-12 09:15Z
HIGH

CVE-2024-6353 — Standalonetech Terawallet: The Wallet for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6353

The Wallet for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'search[value]' parameter in all versions up to, and including, 1.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive informa CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDStandalonetechVNDWalletTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-11
2024-07-11 07:15Z
HIGH

CVE-2024-6666 — Wedevs Wp_erp: The WP ERP plugin for WordPress is vulnerable to SQL Injection via the ‘vendor_id’

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6666

The WP ERP plugin for WordPress is vulnerable to SQL Injection via the ‘vendor_id’ and 'status' parameter in all versions up to, and including, 1.13.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Accounting Manager access (erp_ac_view_sales_summary capability) and above, to append additional SQL queries into already existing queries that can b CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDWedevsVNDErpTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-11
2024-07-11 07:15Z
CRIT

CVE-2024-6624 — Parorrey Json_api_user: The JSON API User plugin for WordPress is vulnerable to privilege escalation in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6624

The JSON API User plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.9.3. This is due to improper controls on custom user meta fields. This makes it possible for unauthenticated attackers to register as administrators on the site. The plugin requires the JSON API plugin to also be installed. CVSSv3.1 9.8 (CRITICAL)

CWECWE 269VNDParorreyTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-07-11
2024-07-11 04:15Z
CRIT

CVE-2024-6397 — Instawp Instawp_connect: The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6397

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed i CVSSv3.1 9.8 (CRITICAL)

CWECWE 288CWECWE 287VNDInstawpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-07-10
2024-07-10 05:15Z
HIGH

CVE-2024-6411 — Metagauss Profilegrid: The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6411

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.8.9. This is due to a lack of validation on user-supplied data in the 'pm_upload_image' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their user capabilities to Administrator. CVSSv3.1 8.8 (HIGH)

CWECWE 269VNDMetagaussVNDProfilegridTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-10
2024-07-10 02:15Z
HIGH

CVE-2024-5792 — Houzez: The Houzez CRM plugin for WordPress is vulnerable to time-based SQL Injection via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5792

The Houzez CRM plugin for WordPress is vulnerable to time-based SQL Injection via the notes ‘belong_to’ parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level (seller) access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive in CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDHouzezTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-10
2024-07-10 02:15Z
HIGH

CVE-2023-7062 — Advanced: The Advanced File Manager Shortcodes plugin for WordPress is vulnerable to Directory Traversal in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-7062

The Advanced File Manager Shortcodes plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4. This makes it possible for attackers with contributor access or higher to read the contents of arbitrary files on the server, which can contain sensitive information. CVSSv3.1 8.8 (HIGH)

CWECWE 538VNDAdvancedTYPVulnerability
8.8
CVSS v3.1
94
Edit Score