2024-03-05
2024-03-05 13:15Z
CRIT

CVE-2023-7103 — Zksoftware Uface_5: Authentication Bypass by Primary Weakness vulnerability in ZKSoftware Biometric Security Solutions UFace 5 allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-7103

Authentication Bypass by Primary Weakness vulnerability in ZKSoftware Biometric Security Solutions UFace 5 allows Authentication Bypass. This issue affects UFace 5: through 12022024. CVSSv3.1 9.8 (CRITICAL) · EPSS 6th percentile

CWECWE 305VNDZksoftwareTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-03-05
2024-03-05 02:15Z
HIGH

CVE-2024-1731 — Rymera Auto_refresh_single_page: The Auto Refresh Single Page plugin for WordPress is vulnerable to PHP Object Injection

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1731

The Auto Refresh Single Page plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1 via deserialization of untrusted input from the arsp_options post meta option. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it cou CVSSv3.1 8.8 (HIGH) · EPSS 79th percentile

CWECWE 502VNDRymeraVNDAutoTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-03-05
2024-03-05 02:15Z
HIGH

CVE-2024-0825 — Davekiss Vimeography: The Vimeography: Vimeo Video Gallery WordPress Plugin plugin for WordPress is vulnerable to PHP

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0825

The Vimeography: Vimeo Video Gallery WordPress Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.3.2 via deserialization of untrusted input via the vimeography_duplicate_gallery_serialized in the duplicate_gallery function. This makes it possible for authenticated attackers attackers, with contributor access or higher, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via CVSSv3.1 8.8 (HIGH) · EPSS 78th percentile

CWECWE 502VNDDavekissVNDVimeographyTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-03-01
2024-03-01 07:15Z
HIGH

CVE-2024-1859 — Awplife Slider_responsive_slideshow: The Slider Responsive Slideshow – Image slider, Gallery slideshow plugin for WordPress is vulnerable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1859

The Slider Responsive Slideshow – Image slider, Gallery slideshow plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization of untrusted input to the awl_slider_responsive_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin CVSSv3.1 8.8 (HIGH) · EPSS 73th percentile

CWECWE 502VNDAwplifeVNDSliderTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-29
2024-02-29 04:15Z
HIGH

CVE-2024-1468 — Theme-fusion Avada: The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1468

The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 8.8 (HIGH) · EPSS 88th percentile

CWECWE 434VNDTheme FusionVNDAvadaTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2024-02-29
2024-02-29 01:43Z
HIGH

CVE-2024-1317 — Themeisle Rss_aggregator_by_feedzy: The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1317

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to SQL Injection via the ‘search_key’ parameter in all versions up to, and including, 4.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access and above, to append additional SQL queries into already CVSSv3.1 8.8 (HIGH) · EPSS 68th percentile

CWECWE 89VNDThemeisleVNDRssTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-29
2024-02-29 01:43Z
HIGH

CVE-2024-1206 — Bootstrapped Wp_recipe_maker: The WP Recipe Maker plugin for WordPress is vulnerable to SQL Injection via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1206

The WP Recipe Maker plugin for WordPress is vulnerable to SQL Injection via the 'recipes' parameter in all versions up to, and including, 9.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the CVSSv3.1 8.8 (HIGH) · EPSS 71th percentile

CWECWE 89VNDBootstrappedVNDRecipeTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2024-02-29
2024-02-29 01:43Z
MED

CVE-2024-0590 — Microsoft Clarity: The Microsoft Clarity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0590

The Microsoft Clarity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the edit_clarity_project_id() function. This makes it possible for unauthenticated attackers to change the project id and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 6.1 (MEDIUM) · EPSS 96th percentile

CWECWE 352VNDMicrosoftTYPVulnerability
6.1
CVSS v3.1
88
Edit Score
2024-02-28
2024-02-28 22:15Z
HIGH

CVE-2024-22983 — Projectworlds Visitor_management_system: SQL injection vulnerability in Projectworlds Visitor Management System in PHP v.1.0 allows a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-22983

SQL injection vulnerability in Projectworlds Visitor Management System in PHP v.1.0 allows a remote attacker to escalate privileges via the name parameter in the myform.php endpoint. CVSSv3.1 8.1 (HIGH) · EPSS 55th percentile

CWECWE 89VNDProjectworldsTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-02-28
2024-02-28 09:15Z
CRIT

CVE-2024-1514 — Wp-ecommerce Wp_ecommerce: The WP eCommerce plugin for WordPress is vulnerable to time-based blind SQL Injection via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1514

The WP eCommerce plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'cart_contents' parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. CVSSv3.1 9.8 (CRITICAL) · EPSS 72th percentile

CWECWE 89VNDWordpressVNDWp EcommerceTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-02-28
2024-02-28 09:15Z
HIGH

CVE-2024-0786 — Tatvic Conversios.io: The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0786

The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ee_syncProductCategory function using the parameters conditionData, valueData, productArray, exclude and include in all versions up to, and including, 7.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for au CVSSv3.1 8.8 (HIGH) · EPSS 61th percentile

CWECWE 89VNDTatvicVNDConversiosTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-27
2024-02-27 06:15Z
CRIT

CVE-2024-1698 — Wpdeveloper Notificationx: The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1698

The NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can b CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile

CWECWE 89VNDWpdeveloperVNDNotificationxTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2024-02-26
2024-02-26 16:27Z
HIGH

CVE-2024-23605 — Ggml Llama.cpp: A heap-based buffer overflow vulnerability exists in the GGUF library header.n_kv functionality of llama.cpp

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-23605

A heap-based buffer overflow vulnerability exists in the GGUF library header.n_kv functionality of llama.cpp Commit 18c2e17. A specially crafted .gguf file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVSSv3.1 8.8 (HIGH) · EPSS 35th percentile

CWECWE 787CWECWE 190VNDGgmlTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-26
2024-02-26 16:27Z
HIGH

CVE-2024-23496 — Ggml Llama.cpp: A heap-based buffer overflow vulnerability exists in the GGUF library gguf_fread_str functionality of llama.cpp

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-23496

A heap-based buffer overflow vulnerability exists in the GGUF library gguf_fread_str functionality of llama.cpp Commit 18c2e17. A specially crafted .gguf file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVSSv3.1 8.8 (HIGH) · EPSS 35th percentile

CWECWE 787CWECWE 190VNDGgmlTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-26
2024-02-26 16:27Z
HIGH

CVE-2024-22873 — Tencent Blueking_configuration_management_database: Blueking CMDB v3.2.x to v3.9.x was discovered to contain a Server-Side Request Forgery

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-22873

Tencent Blueking CMDB v3.2.x to v3.9.x was discovered to contain a Server-Side Request Forgery (SSRF) via the event subscription function (/service/subscription.go). This vulnerability allows attackers to access internal requests via a crafted POST request. CVSSv3.1 8.1 (HIGH) · EPSS 47th percentile

CWECWE 918VNDTencentTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-02-26
2024-02-26 16:27Z
HIGH

CVE-2024-21836 — Ggml Llama.cpp: A heap-based buffer overflow vulnerability exists in the GGUF library header.n_tensors functionality of llama.cpp

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-21836

A heap-based buffer overflow vulnerability exists in the GGUF library header.n_tensors functionality of llama.cpp Commit 18c2e17. A specially crafted .gguf file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVSSv3.1 8.8 (HIGH) · EPSS 35th percentile

CWECWE 787CWECWE 190VNDGgmlTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-26
2024-02-26 16:27Z
HIGH

CVE-2024-21825 — Ggml Llama.cpp: A heap-based buffer overflow vulnerability exists in the GGUF library GGUF_TYPE_ARRAY/GGUF_TYPE_STRING parsing functionality of

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-21825

A heap-based buffer overflow vulnerability exists in the GGUF library GGUF_TYPE_ARRAY/GGUF_TYPE_STRING parsing functionality of llama.cpp Commit 18c2e17. A specially crafted .gguf file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVSSv3.1 8.8 (HIGH) · EPSS 41th percentile

CWECWE 787CWECWE 190VNDGgmlTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-26
2024-02-26 16:27Z
HIGH

CVE-2024-21802 — Ggml Llama.cpp: A heap-based buffer overflow vulnerability exists in the GGUF library info->ne functionality of llama.cpp

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-21802

A heap-based buffer overflow vulnerability exists in the GGUF library info->ne functionality of llama.cpp Commit 18c2e17. A specially crafted .gguf file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability. CVSSv3.1 8.8 (HIGH) · EPSS 65th percentile

CWECWE 787CWECWE 122VNDGgmlTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-26
2024-02-26 16:27Z
HIGH

CVE-2024-1710 — Unlimited-elements Addon_library: The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1710

The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the onAjaxAction function action in all versions up to, and including, 1.3.76. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions including uploading arbitrary files. CVSSv3.1 8.8 (HIGH) · EPSS 55th percentile

CWECWE 862VNDUnlimited ElementsVNDAddonTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-21
2024-02-21 16:15Z
HIGH

CVE-2024-1708 — Connectwise Screenconnect: 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1708

ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems. CVSSv3.1 8.4 (HIGH) · EPSS 98th percentile

CWECWE 22VNDConnectwiseTYPVulnerability
8.4
CVSS v3.1
100
Edit Score
2024-02-17
2024-02-17 08:15Z
CRIT

CVE-2024-1512 — Stylemixthemes Masterstudy_lms: The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1512

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing q CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile

CWECWE 89VNDStylemixthemesVNDMasterstudyTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2024-02-17
2024-02-17 08:15Z
CRIT

CVE-2024-0610 — Papaki Piraeus_bank_woocommerce_payment_gateway: The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to time-based blind

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0610

The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'MerchantReference' parameter in all versions up to, and including, 1.6.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive infor CVSSv3.1 9.8 (CRITICAL) · EPSS 70th percentile

CWECWE 89VNDPapakiVNDPiraeusTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-02-15
2024-02-15 16:15Z
CRIT

CVE-2023-7081 — Postahsil Online_payment_system: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-7081

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in POSTAHSİL Online Payment System allows SQL Injection. This issue affects Online Payment System: before 14.02.2024. CVSSv3.1 9.8 (CRITICAL) · EPSS 22th percentile

CWECWE 89VNDPostahsilTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-02-15
2024-02-15 16:15Z
CRIT

CVE-2023-5155 — Utarit Solipay_mobile: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-5155

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Utarit Information Technologies SoliPay Mobile App allows SQL Injection. This issue affects SoliPay Mobile App: before 5.0.8. CVSSv3.1 9.8 (CRITICAL) · EPSS 20th percentile

CWECWE 89VNDUtaritTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-02-14
2024-02-14 14:16Z
CRIT

CVE-2023-6441 — Unipa University_information_system: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6441

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in UNI-PA University Marketing & Computer Internet Trade Inc. University Information System allows SQL Injection. This issue affects University Information System: before 12.12.2023. CVSSv3.1 9.8 (CRITICAL) · EPSS 37th percentile

CWECWE 89VNDUnipaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score