2024-07-04
2024-07-04 09:15Z
HIGH

CVE-2024-6318 — Wbolt Imgspider: The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6318

The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_img_file' function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDWboltVNDImgspiderTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-04
2024-07-04 04:15Z
HIGH

CVE-2024-2385 — Livemeshelementor Addons_for_elementor: The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Local File Inclusion

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-2385

The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.4 via several of the plugin's widgets through the 'style' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve CVSSv3.1 8.8 (HIGH)

CWECWE 22VNDElementorVNDLivemeshelementorTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-02
2024-07-02 07:15Z
CRIT

CVE-2024-6172 — Icegram Email_subscribers_\&_newsletters: The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress &

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6172

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDIcegramTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-07-02
2024-07-02 05:15Z
HIGH

CVE-2024-5349 — La-studioweb Element_kit_for_elementor: The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5349

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.8.1 via the 'map_style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases CVSSv3.1 8.8 (HIGH)

CWECWE 22VNDLa StudiowebVNDStudioTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-07-01
2024-07-01 13:15Z
HIGH

CVE-2024-6387 — Sonicwall Sma_6200_firmware: There is a race condition which can lead sshd to handle some signals in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6387

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. CVSSv3.1 8.1 (HIGH) · EPSS 98th percentile

CWECWE 362CWECWE 364VNDAristaVNDSonicwallVNDCanonicalTYPVulnerability
8.1
CVSS v3.1
100
Edit Score
2024-06-29
2024-06-29 13:15Z
HIGH

CVE-2024-2386 — WordPress: The WordPress Plugin for Google Maps – WP MAPS plugin for WordPress is vulnerable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-2386

The WordPress Plugin for Google Maps – WP MAPS plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'put_wpgm' shortcode in all versions up to, and including, 4.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that ca CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDWordpressTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-06-29
2024-06-29 05:15Z
CRIT

CVE-2024-6265 — Ayecode Userswp: The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6265

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uwp_sort_by’ parameter in all versions up to, and including, 1.2.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDAyecodeVNDUserswpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2024-06-28
2024-06-28 23:15Z
CRIT

CVE-2024-37371 — Mit Kerberos_5: In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-37371

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. CVSSv3.1 9.1 (CRITICAL) · EPSS 86th percentile

CWECWE 125VNDMitTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2024-06-27
2024-06-27 13:15Z
CRIT

CVE-2024-1107 — Talyabilisim Travel_apps: Authorization Bypass Through User-Controlled Key vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1107

Authorization Bypass Through User-Controlled Key vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Travel APPS: before v17.0.68. CVSSv3.1 9.8 (CRITICAL) · EPSS 7th percentile

CWECWE 639VNDTalyabilisimTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-06-27
2024-06-27 11:15Z
CRIT

CVE-2024-5535 — Issue: In particular this issue could result in up to 255 bytes of arbitrary private

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5535

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only CVSSv3.1 9.1 (CRITICAL) · EPSS 90th percentile

CWECWE 125TYPVulnerability
9.1
CVSS v3.1
97
Edit Score
2024-06-27
2024-06-27 10:15Z
CRIT

CVE-2024-0949 — Authentication: Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0949

Missing Authentication, Files or Directories Accessible to External Parties, Use of Hard-coded Credentials vulnerability in Talya Informatics Elektraweb allows Authentication Bypass. This issue affects Elektraweb: before v17.0.68. CVSSv3.1 9.8 (CRITICAL) · EPSS 7th percentile

CWECWE 552CWECWE 306CWECWE 798TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-06-27
2024-06-27 10:15Z
CRIT

CVE-2024-0947 — Reliance: on Cookies without Validation and Integrity Checking vulnerability in Talya Informatics Elektraweb allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0947

Reliance on Cookies without Validation and Integrity Checking vulnerability in Talya Informatics Elektraweb allows Session Credential Falsification through Manipulation, Accessing/Intercepting/Modifying HTTP Cookies, Manipulating Opaque Client-based Data Tokens. This issue affects Elektraweb: before v17.0.68. CVSSv3.1 9.8 (CRITICAL) · EPSS 32th percentile

CWECWE 565VNDRelianceTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-06-27
2024-06-27 03:15Z
HIGH

CVE-2024-6054 — Auto-featured-image_project Auto-featured-image: The Auto Featured Image plugin for WordPress is vulnerable to arbitrary file uploads due

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6054

The Auto Featured Image plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'create_post_attachment_from_url' function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDAuto Featured Image ProjectVNDAutoTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-06-26
2024-06-26 15:15Z
CRIT

CVE-2024-4228 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE -

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-4228

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE - 522 - Insufficiently Protected Credentials vulnerability in Magarsus Consultancy SSO (Single Sign On) allows SQL Injection. This issue affects SSO (Single Sign On): from 1.0 before 1.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 43th percentile

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-06-25
2024-06-25 09:15Z
CRIT

CVE-2024-6028 — Ays-pro Quiz_maker: The Quiz Maker plugin for WordPress is vulnerable to time-based SQL Injection via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6028

The Quiz Maker plugin for WordPress is vulnerable to time-based SQL Injection via the 'ays_questions' parameter in all versions up to, and including, 6.5.8.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDAys ProVNDQuizTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-06-25
2024-06-25 06:15Z
HIGH

CVE-2024-5431 — Themewinter Wpcafe: The WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce plugin

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5431

The WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.25 via the reservation_extra_field shortcode parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include remote files on the server, potentially resulting in code execution CVSSv3.1 8.8 (HIGH)

CWECWE 98VNDThemewinterVNDWpcafeTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-06-24
2024-06-24 13:15Z
CRIT

CVE-2024-37228 — Instawp Instawp_connect: Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP InstaWP Connect instawp-connect.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-37228

Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.38. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434VNDInstawpTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2024-06-24
2024-06-24 09:15Z
CRIT

CVE-2024-5683 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in Next4Biz CRM & BPM

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5683

Improper Control of Generation of Code ('Code Injection') vulnerability in Next4Biz CRM & BPM Software Business Process Manangement (BPM) allows Remote Code Inclusion. This issue affects Business Process Manangement (BPM): from 6.6.4.4 before 6.6.4.5. CVSSv3.1 9.8 (CRITICAL) · EPSS 41th percentile

CWECWE 94TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-06-21
2024-06-21 10:15Z
CRIT

CVE-2024-6027 — Themify Product_filter: The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6027

The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the dat CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDThemifyTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-06-21
2024-06-21 05:15Z
CRIT

CVE-2024-5756 — Icegram Icegram_express: The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress &

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5756

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDIcegramTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-06-21
2024-06-21 04:15Z
HIGH

CVE-2024-5455 — Posimyth The_plus_addons_for_elementor: The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5455

The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sens CVSSv3.1 8.8 (HIGH)

CWECWE 98VNDPosimythVNDPlusTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-06-21
2024-06-21 02:15Z
HIGH

CVE-2024-5503 — Codevibrant Wp_blog_post_layouts: The WP Blog Post Layouts plugin for WordPress is vulnerable to Local File Inclusion

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5503

The WP Blog Post Layouts plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types ca CVSSv3.1 8.8 (HIGH)

CWECWE 98VNDCodevibrantVNDBlogTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-06-20
2024-06-20 17:15Z
HIGH

CVE-2024-37626 — Totolink A6000r_firmware: A command injection issue in TOTOLINK A6000R V1.0.1-B20201211.2000 firmware allows a remote attacker to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-37626

A command injection issue in TOTOLINK A6000R V1.0.1-B20201211.2000 firmware allows a remote attacker to execute arbitrary code via the iface parameter in the vif_enable function. CVSSv3.1 8.8 (HIGH) · EPSS 76th percentile

CWECWE 78VNDTotolinkTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2024-06-20
2024-06-20 16:15Z
HIGH

CVE-2024-37676 — An issue in htop-dev htop v.2.20 allows a local attacker to cause an out-of-bounds

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-37676

An issue in htop-dev htop v.2.20 allows a local attacker to cause an out-of-bounds access in the Header_populateFromSettings function. CVSSv3.1 8.4 (HIGH) · EPSS 12th percentile

CWECWE 787CWECWE 119TYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2024-06-20
2024-06-20 07:15Z
CRIT

CVE-2024-4098 — Datenverwurstungszentrale Shariff_wrapper: The Shariff Wrapper plugin for WordPress is vulnerable to Local File Inclusion in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-4098

The Shariff Wrapper plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.6.13 via the shariff3uu_fetch_sharecounts function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and inc CVSSv3.1 9.8 (CRITICAL)

CWECWE 552CWECWE 22VNDDatenverwurstungszentraleVNDShariffTYPVulnerability
9.8
CVSS v3.1
99
Edit Score