2024-04-09
2024-04-09 19:15Z
HIGH

CVE-2024-1974 — Hasthemes Ht_mega: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1974

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.6 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to read the contents of arbitrary files on the server, which can contain sensitive information. CVSSv3.1 8.8 (HIGH) · EPSS 86th percentile

CWECWE 22VNDHasthemesVNDMegaTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2024-04-09
2024-04-09 19:15Z
HIGH

CVE-2024-1893 — Realestateconnected Easy_property_listings: The Easy Property Listings plugin for WordPress is vulnerable to time-based SQL Injection via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1893

The Easy Property Listings plugin for WordPress is vulnerable to time-based SQL Injection via the ‘property_status’ shortcode attribute in all versions up to, and including, 3.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access and above, to append additional SQL queries into already existing queries that can be used to extract CVSSv3.1 8.8 (HIGH) · EPSS 62th percentile

CWECWE 89VNDRealestateconnectedVNDEasyTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-04-09
2024-04-09 19:15Z
CRIT

CVE-2024-1813 — Presstigers Simple_job_board: The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1813

The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.11.0 via deserialization of untrusted input in the job_board_applicant_list_columns_value function. This makes it possible for unauthenticated attackers to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute CVSSv3.1 9.8 (CRITICAL) · EPSS 92th percentile

CWECWE 502VNDPresstigersVNDSimpleTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2024-04-09
2024-04-09 19:15Z
HIGH

CVE-2024-1315 — Radiustheme Classified_listing: The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1315

The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing or incorrect nonce validation on the 'rtcl_update_user_account' function. This makes it possible for unauthenticated attackers to change the administrator user's password and email address via a forged request granted they can trick a site administrator into performing an action CVSSv3.1 8.8 (HIGH) · EPSS 69th percentile

CWECWE 352VNDRadiusthemeVNDClassifiedTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-04-09
2024-04-09 19:15Z
HIGH

CVE-2023-6999 — Podsfoundation Pods: The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6999

The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Remote Code Exxecution via shortcode in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This makes it possible for authenticated attackers, with contributor level access or higher, to execute code on the server. CVSSv3.1 8.8 (HIGH) · EPSS 79th percentile

CWECWE 77VNDPodsfoundationVNDPodsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-04-09
2024-04-09 19:15Z
HIGH

CVE-2023-6967 — Podsfoundation Pods: The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6967

The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to SQL Injection via shortcode in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access or higher, to append additional SQL queries into already existing qu CVSSv3.1 8.8 (HIGH) · EPSS 63th percentile

CWECWE 89VNDPodsfoundationVNDPodsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-04-09
2024-04-09 19:15Z
HIGH

CVE-2023-6964 — Kadencewp Gutenberg_blocks_with_ai: The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6964

The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.26 via the 'kadence_import_get_new_connection_data' AJAX action. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services CVSSv3.1 8.5 (HIGH) · EPSS 57th percentile

CWECWE 918VNDKadencewpVNDGutenbergTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
728 × 90 / responsive · programmatic ad slot
2024-04-09
2024-04-09 09:15Z
HIGH

CVE-2024-31370 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-31370

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodeIsAwesome AIKit aikit-wordpress-ai-writing-assistant-using-gpt3.This issue affects AIKit: from n/a through <= 4.14.1. CVSSv3.1 8.5 (HIGH) · EPSS 30th percentile

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-04-08
2024-04-08 23:15Z
CRIT

CVE-2024-22949 — Jfree Jfreechart: v1.5.4 was discovered to contain a NullPointerException via the component /chart/annotations/CategoryLineAnnotation.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-22949

JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /chart/annotations/CategoryLineAnnotation. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification. CVSSv3.1 9.1 (CRITICAL) · EPSS 51th percentile

CWECWE 125VNDJfreeVNDJfreechartTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2024-04-08
2024-04-08 20:15Z
CRIT

CVE-2024-23086 — Mikkotommila Apfloat: v1.10.1 was discovered to contain a stack overflow via the component org.apfloat.internal.DoubleModMath::modPow(double.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-23086

Apfloat v1.10.1 was discovered to contain a stack overflow via the component org.apfloat.internal.DoubleModMath::modPow(double. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification. CVSSv3.1 9.8 (CRITICAL)

CWECWE 125VNDMikkotommilaVNDApfloatTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-04-08
2024-04-08 20:15Z
CRIT

CVE-2024-23078 — JGraphT: Core v1.5.2 was discovered to contain a NullPointerException via the component org.jgrapht.alg.util.ToleranceDoubleComparator::compare(Double, Double).

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-23078

JGraphT Core v1.5.2 was discovered to contain a NullPointerException via the component org.jgrapht.alg.util.ToleranceDoubleComparator::compare(Double, Double). NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification. CVSSv3.1 9.1 (CRITICAL) · EPSS 51th percentile

CWECWE 476VNDJgraphtTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2024-04-07
2024-04-07 18:15Z
CRIT

CVE-2024-31280 — Church_admin_project Church_admin: Unrestricted Upload of File with Dangerous Type vulnerability in andy_moyle Church Admin church-admin.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-31280

Unrestricted Upload of File with Dangerous Type vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.1.5. CVSSv3.1 9.9 (CRITICAL) · EPSS 63th percentile

CWECWE 434VNDChurch Admin ProjectTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2024-04-05
2024-04-05 12:15Z
HIGH

CVE-2023-6523 — Authorization: Bypass Through User-Controlled Key vulnerability in ExtremePacs Extreme XDS allows Authentication Abuse.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6523

Authorization Bypass Through User-Controlled Key vulnerability in ExtremePacs Extreme XDS allows Authentication Abuse. This issue affects Extreme XDS: before 3914. CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile

CWECWE 639TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-04-05
2024-04-05 08:15Z
HIGH

CVE-2024-3217 — Wpdirectorykit Wp_directory_kit: The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-3217

The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value' and 'attribute_id' parameters in all versions up to, and including, 1.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract s CVSSv3.1 8.8 (HIGH) · EPSS 98th percentile

CWECWE 89VNDWpdirectorykitTYPVulnerability
8.8
CVSS v3.1
100
Edit Score
2024-04-05
2024-04-05 08:15Z
HIGH

CVE-2024-2115 — Thimpress Learnpress: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Cross-Site Request

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-2115

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.0. This is due to missing or incorrect nonce validation on the filter_users functions. This makes it possible for unauthenticated attackers to elevate their privileges to that of a teacher via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 51th percentile

CWECWE 352VNDThimpressVNDLearnpressTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-04-04
2024-04-04 03:15Z
HIGH

CVE-2024-2008 — Modal: The Modal Popup Box – Popup Builder, Show Offers And News in Popup plugin

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-2008

The Modal Popup Box – Popup Builder, Show Offers And News in Popup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.2 via deserialization of untrusted input in the awl_modal_popup_box_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow CVSSv3.1 8.8 (HIGH) · EPSS 71th percentile

CWECWE 502VNDModalTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-04-03
2024-04-03 12:15Z
HIGH

CVE-2024-29477 — Dolibarr Dolibarr_erp\/crm: Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-29477

Lack of sanitization during Installation Process in Dolibarr ERP CRM up to version 19.0.0 allows an attacker with adjacent access to the network to execute arbitrary code via a specifically crafted input. CVSSv3.1 8.8 (HIGH) · EPSS 52th percentile

CWECWE 94VNDDolibarrVNDLackTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-04-03
2024-04-03 12:15Z
CRIT

CVE-2024-27972 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in Jack Arturo WP Fusion

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-27972

Improper Control of Generation of Code ('Code Injection') vulnerability in Jack Arturo WP Fusion Lite wp-fusion-lite.This issue affects WP Fusion Lite: from n/a through <= 3.41.24. CVSSv3.1 9.9 (CRITICAL) · EPSS 95th percentile

CWECWE 94TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2024-04-03
2024-04-03 12:15Z
HIGH

CVE-2024-27191 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in inpersttion Slivery Extender slivery-extender

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-27191

Improper Control of Generation of Code ('Code Injection') vulnerability in inpersttion Slivery Extender slivery-extender allows Remote Code Inclusion.This issue affects Slivery Extender: from n/a through <= 1.0.2. CVSSv3.1 8.5 (HIGH) · EPSS 47th percentile

CWECWE 94TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-04-03
2024-04-03 12:15Z
CRIT

CVE-2024-25918 — Instawp Instawp_connect: Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP InstaWP Connect instawp-connect.This

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-25918

Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP InstaWP Connect instawp-connect.This issue affects InstaWP Connect: from n/a through <= 0.1.0.8. CVSSv3.1 9.9 (CRITICAL) · EPSS 73th percentile

CWECWE 94VNDInstawpTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2024-04-03
2024-04-03 03:15Z
CRIT

CVE-2024-30166 — Trustedfirmware Mbed_tls: In Mbed TLS 3.3.0 through 3.5.2 before 3.6.0, a malicious client can cause information

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-30166

In Mbed TLS 3.3.0 through 3.5.2 before 3.6.0, a malicious client can cause information disclosure or a denial of service because of a stack buffer over-read (of less than 256 bytes) in a TLS 1.3 server via a TLS 3.1 ClientHello. CVSSv3.1 9.1 (CRITICAL) · EPSS 58th percentile

CWECWE 121VNDMbedVNDTrustedfirmwareTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2024-03-31
2024-03-31 18:15Z
HIGH

CVE-2024-31094 — Filter: A vulnerability in websupporter Filter Custom Fields & Taxonomies Light filter-custom-fields-taxonomies-light.This issue affects Filter

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-31094

A vulnerability in websupporter Filter Custom Fields & Taxonomies Light filter-custom-fields-taxonomies-light.This issue affects Filter Custom Fields & Taxonomies Light: from n/a through <= 1.05. CVSSv3.1 8.5 (HIGH) · EPSS 63th percentile

CWECWE 502VNDFilterTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-03-30
2024-03-30 12:15Z
HIGH

CVE-2024-3018 — Wpdeveloper Essential_addons_for_elementor: The Essential Addons for Elementor plugin for WordPress is vulnerable to PHP Object Injection

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-3018

The Essential Addons for Elementor plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.13 via deserialization of untrusted input from the 'error_resetpassword' attribute of the "Login | Register Form" widget (disabled by default). This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target syst CVSSv3.1 8.8 (HIGH) · EPSS 78th percentile

CWECWE 502VNDWpdeveloperVNDEssentialTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-03-30
2024-03-30 05:15Z
CRIT

CVE-2024-2086 — Integrate: The Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-2086

The Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers to modify plugin settings as well as allowing full read/write/delete access to the CVSSv3.1 10.0 (CRITICAL) · EPSS 79th percentile

CWECWE 862VNDIntegrateTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2024-03-30
2024-03-30 05:15Z
HIGH

CVE-2024-2047 — Wpmet Elements_kit_elementor_addons: The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-2047

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where image CVSSv3.1 8.8 (HIGH) · EPSS 82th percentile

CWECWE 98VNDWpmetVNDElementskitTYPVulnerability
8.8
CVSS v3.1
94
Edit Score