2024-06-14
2024-06-14 08:15Z
CRIT

CVE-2024-5577 — Where: The Where I Was, Where I Will Be plugin for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5577

The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1 via the WIW_HEADER parameter of the /system/include/include_user.php file. This makes it possible for unauthenticated attackers to include and execute arbitrary files hosted on external servers, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. This requires allow_url CVSSv3.1 9.8 (CRITICAL)

CWECWE 98VNDWhereTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-06-14
2024-06-14 06:15Z
HIGH

CVE-2024-4404 — Wpmet Elementskit: The ElementsKit PRO plugin for WordPress is vulnerable to Server-Side Request Forgery in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-4404

The ElementsKit PRO plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.6.2 via the 'render_raw' function. This can allow authenticated attackers, with contributor-level permissions and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. CVSSv3.1 8.5 (HIGH)

CWECWE 918VNDWpmetVNDElementskitTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-06-14
2024-06-14 05:15Z
CRIT

CVE-2024-4936 — Canto Canto: The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-4936

The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. This required allow_url_include to be enabled on the target site in order to exploit. CVSSv3.1 9.8 (CRITICAL)

CWECWE 98VNDCantoTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-06-13
2024-06-13 09:15Z
CRIT

CVE-2024-4371 — Codexpert Codesigner: The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-4371

The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.1 via deserialization of untrusted input from the recently_viewed_products cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme ins CVSSv3.1 9.0 (CRITICAL)

CWECWE 502VNDCodexpertVNDCodesignerTYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2024-06-13
2024-06-13 02:15Z
CRIT

CVE-2024-3922 — Dokan Dokan: The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code'

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-3922

The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. CVSSv3.1 10.0 (CRITICAL)

CWECWE 89VNDDokanTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2024-06-12
2024-06-12 11:15Z
CRIT

CVE-2024-4898 — Instawp Instawp_connect: The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-4898

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts. CVSSv3.1 9.8 (CRITICAL)

CWECWE 862VNDInstawpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-06-12
2024-06-12 10:15Z
HIGH

CVE-2024-4845 — Icegram Icegram_express: The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-4845

The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive informatio CVSSv3.1 8.8 (HIGH)

CWECWE 89VNDIcegramTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2024-06-12
2024-06-12 02:15Z
HIGH

CVE-2024-5543 — Slideshow: The Slideshow Gallery LITE plugin for WordPress is vulnerable to time-based SQL Injection via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5543

The Slideshow Gallery LITE plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in all versions up to, and including, 1.8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive informat CVSSv3.1 8.1 (HIGH)

CWECWE 89VNDSlideshowTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-06-11
2024-06-11 17:15Z
HIGH

CVE-2024-30103 — Microsoft 365_apps: Outlook Remote Code Execution Vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-30103

Microsoft Outlook Remote Code Execution Vulnerability CVSSv3.1 8.8 (HIGH) · EPSS 95th percentile

CWECWE 184VNDMicrosoftTYPVulnerability
8.8
CVSS v3.1
98
Edit Score
2024-06-11
2024-06-11 07:15Z
CRIT

CVE-2024-3549 — Adenion Blog2social: The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-3549

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the 'b2sSortPostType' parameter in all versions up to, and including, 7.4.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used t CVSSv3.1 9.9 (CRITICAL) · EPSS 70th percentile

CWECWE 89VNDAdenionVNDBlog2socialTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2024-06-11
2024-06-11 04:15Z
HIGH

CVE-2023-7264 — Buildapp Build_app_online: The Build App Online plugin for WordPress is vulnerable to account takeover due to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-7264

The Build App Online plugin for WordPress is vulnerable to account takeover due to a weak password reset mechanism in all versions up to, and including, 1.0.22. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing an 4-digit numeric reset code. CVSSv3.1 8.1 (HIGH) · EPSS 83th percentile

CWECWE 640VNDBuildappVNDBuildTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-06-08
2024-06-08 05:15Z
HIGH

CVE-2024-3668 — Ideabox Powerpack_addons_for_elementor: The PowerPack Pro for Elementor plugin for WordPress is vulnerable to privilege escalation in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-3668

The PowerPack Pro for Elementor plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.10.17. This is due to the plugin not restricting low privileged users from setting a default role for a registration form. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with administrator set as the default role and then register as an administrator. CVSSv3.1 8.8 (HIGH) · EPSS 40th percentile

CWECWE 732VNDIdeaboxVNDPowerpackTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-06-07
2024-06-07 06:15Z
CRIT

CVE-2024-3592 — Expresstech Quiz_and_survey_master: The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-3592

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'question_id' parameter in all versions up to, and including, 9.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing quer CVSSv3.1 9.9 (CRITICAL) · EPSS 68th percentile

CWECWE 89VNDExpresstechVNDQuizTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2024-06-06
2024-06-06 19:16Z
CRIT

CVE-2024-3166 — Mintplexlabs Anythingllm_desktop: A Cross-Site Scripting (XSS) vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-3166

A Cross-Site Scripting (XSS) vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, which can be exploited to execute arbitrary JavaScript code. In the desktop application, this flaw can be escalated to Remote Code Execution (RCE) due to insecure application settings, CVSSv3.1 9.6 (CRITICAL) · EPSS 57th percentile

CWECWE 79VNDMintplexlabsTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2024-06-06
2024-06-06 10:15Z
HIGH

CVE-2024-5329 — Unlimited-elements Unlimited_elements_for_elementor: The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5329

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to blind SQL Injection via the ‘data[addonID]’ parameter in all versions up to, and including, 1.5.109 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing CVSSv3.1 8.8 (HIGH) · EPSS 70th percentile

CWECWE 89VNDUnlimited ElementsVNDUnlimitedTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-06-06
2024-06-06 04:15Z
CRIT

CVE-2024-5153 — Web-shop-host Startklar_elmentor_addons: The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5153

The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.15 via the 'dropzone_hash' parameter. This makes it possible for unauthenticated attackers to copy the contents of arbitrary files on the server, which can contain sensitive information, and to delete arbitrary directories, including the root WordPress directory. CVSSv3.1 9.1 (CRITICAL) · EPSS 90th percentile

CWECWE 22VNDWeb Shop HostVNDStartklarTYPVulnerability
9.1
CVSS v3.1
97
Edit Score
2024-06-06
2024-06-06 02:15Z
HIGH

CVE-2024-5324 — Xootix Login\/signup_popup: Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5324

Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator. CVSSv3.1 8.8 (HIGH) · EPSS 98th percentile

CWECWE 862CWECWE 863VNDWordpressVNDXootixTYPVulnerability
8.8
CVSS v3.1
100
Edit Score
2024-06-06
2024-06-06 02:15Z
HIGH

CVE-2024-5179 — Codeless Cowidgets_elementor_addons: The Cowidgets – Elementor Addons plugin for WordPress is vulnerable to Local File Inclusion

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5179

The Cowidgets – Elementor Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.2 via the 'item_style' and 'style' parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in c CVSSv3.1 8.8 (HIGH) · EPSS 63th percentile

CWECWE 22VNDCodelessVNDCowidgetsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-06-06
2024-06-06 02:15Z
HIGH

CVE-2023-6968 — Themoneytizer The_moneytizer: The The Moneytizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6968

The The Moneytizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.6.3. This is due to missing or incorrect nonce validation on multiple AJAX functions. This makes it possible for unauthenticated attackers to to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions via a forged request granted they can trick a site administrator CVSSv3.1 8.1 (HIGH) · EPSS 36th percentile

CWECWE 352CWECWE 284VNDThemoneytizerVNDMoneytizerTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-06-06
2024-06-06 02:15Z
HIGH

CVE-2023-6966 — Themoneytizer The_moneytizer: The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6966

The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.6.3. This makes it possible for authenticated attackers, with subscriber access and above, to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lowe CVSSv3.1 8.1 (HIGH) · EPSS 65th percentile

CWECWE 862CWECWE 284VNDThemoneytizerVNDMoneytizerTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-06-05
2024-06-05 09:15Z
HIGH

CVE-2024-4743 — Lifterlms Lifterlms: The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-4743

The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to SQL Injection via the orderBy attribute of the lifterlms_favorites shortcode in all versions up to, and including, 7.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing CVSSv3.1 8.8 (HIGH) · EPSS 59th percentile

CWECWE 89VNDLifterlmsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-06-05
2024-06-05 06:15Z
CRIT

CVE-2024-4295 — Icegram Email_subscribers_\&_newsletters: The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-4295

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile

CWECWE 89VNDIcegramTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2024-06-04
2024-06-04 14:15Z
CRIT

CVE-2024-35700 — Userproplugin Userpro: Incorrect Privilege Assignment vulnerability in DeluxeThemes Userpro userpro.This issue affects Userpro: from n/a through

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-35700

Incorrect Privilege Assignment vulnerability in DeluxeThemes Userpro userpro.This issue affects Userpro: from n/a through <= 5.1.8. CVSSv3.1 9.8 (CRITICAL)

CWECWE 266VNDUserpropluginTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-06-04
2024-06-04 14:15Z
HIGH

CVE-2024-33568 — Bdthemes Element_pack: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in BdThemes

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-33568

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in BdThemes Element Pack Pro bdthemes-element-pack.This issue affects Element Pack Pro: from n/a through < 7.19.3. CVSSv3.1 8.5 (HIGH)

CWECWE 22VNDBdthemesTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-06-04
2024-06-04 02:15Z
CRIT

CVE-2024-4552 — Social: The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-4552

The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.6.0. This is due to insufficient verification on the user being supplied during the social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. CVSSv3.1 9.8 (CRITICAL) · EPSS 45th percentile

CWECWE 288VNDSocialTYPVulnerability
9.8
CVSS v3.1
99
Edit Score