2024-02-12
2024-02-12 07:15Z
CRIT

CVE-2024-25100 — Wpswings Coupon_referral_program: Deserialization of Untrusted Data vulnerability in WP Swings Coupon Referral Program coupon-referral-program allows Object

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-25100

Deserialization of Untrusted Data vulnerability in WP Swings Coupon Referral Program coupon-referral-program allows Object Injection.This issue affects Coupon Referral Program: from n/a through < 1.8.4. CVSSv3.1 10.0 (CRITICAL)

CWECWE 502VNDWpswingsTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2024-02-10
2024-02-10 07:15Z
HIGH

CVE-2024-0594 — Getawesomesupport Awesome_support: The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0594

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to union-based SQL Injection via the 'q' parameter of the wpas_get_users action in all versions up to, and including, 6.1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already ex CVSSv3.1 8.8 (HIGH) · EPSS 48th percentile

CWECWE 89VNDGetawesomesupportVNDAwesomeTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-09
2024-02-09 14:15Z
CRIT

CVE-2023-6677 — Oduyo Online_collection: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6677

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oduyo Financial Technology Online Collection allows SQL Injection. This issue affects Online Collection: before v.1.0.2. CVSSv3.1 9.8 (CRITICAL) · EPSS 20th percentile

CWECWE 89VNDOduyoTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-02-09
2024-02-09 13:15Z
HIGH

CVE-2023-6724 — Simgesel Hearing_tracking_system: Authorization Bypass Through User-Controlled Key vulnerability in Software Engineering Consultancy Machine Equipment Limited Company

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6724

Authorization Bypass Through User-Controlled Key vulnerability in Software Engineering Consultancy Machine Equipment Limited Company Hearing Tracking System allows Authentication Abuse. This issue affects Hearing Tracking System: before for IOS 7.0, for Android Latest release 1.0. CVSSv3.1 8.8 (HIGH) · EPSS 13th percentile

CWECWE 639VNDSimgeselTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-09
2024-02-09 09:15Z
CRIT

CVE-2024-25675 — Misp-project Misp: An issue was discovered in MISP before 2.4.184.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-25675

An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp. CVSSv3.1 9.8 (CRITICAL) · EPSS 52th percentile

CWECWE 749VNDMispVNDMisp ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-02-09
2024-02-09 09:15Z
CRIT

CVE-2024-25674 — Misp-project Misp: An issue was discovered in MISP before 2.4.184.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-25674

An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type. CVSSv3.1 9.8 (CRITICAL) · EPSS 51th percentile

CWECWE 434VNDMispVNDMisp ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-02-08
2024-02-08 18:15Z
CRIT

CVE-2024-24321 — Dlink Dir-816_firmware: An issue in Dlink DIR-816A2 v.1.10CNB05 allows a remote attacker to execute arbitrary code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-24321

An issue in Dlink DIR-816A2 v.1.10CNB05 allows a remote attacker to execute arbitrary code via the wizardstep4_ssid_2 parameter in the sub_42DA54 function. CVSSv3.1 9.8 (CRITICAL) · EPSS 82th percentile

CWECWE 77VNDDlinkTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
728 × 90 / responsive · programmatic ad slot
2024-02-08
2024-02-08 10:15Z
HIGH

CVE-2023-6515 — Miateknoloji Mia-med: Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6515

Authorization Bypass Through User-Controlled Key vulnerability in Mia Technology Inc. MİA-MED allows Authentication Abuse. This issue affects MİA-MED: before 1.0.7. CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile

CWECWE 639VNDMiateknolojiTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-08
2024-02-08 09:15Z
CRIT

CVE-2024-1207 — Wpbookingcalendar Booking_calendar: The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1207

The WP Booking Calendar plugin for WordPress is vulnerable to SQL Injection via the 'calendar_request_params[dates_ddmmyy_csv]' parameter in all versions up to, and including, 9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the da CVSSv3.1 9.8 (CRITICAL) · EPSS 99th percentile

CWECWE 89VNDWpbookingcalendarVNDBookingTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2024-02-07
2024-02-07 11:15Z
HIGH

CVE-2024-1118 — Podlove Podlove_subscribe_button: The Podlove Subscribe button plugin for WordPress is vulnerable to UNION-based SQL Injection via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1118

The Podlove Subscribe button plugin for WordPress is vulnerable to UNION-based SQL Injection via the 'button' attribute of the podlove-subscribe-button shortcode in all versions up to, and including, 1.3.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing qu CVSSv3.1 8.8 (HIGH) · EPSS 68th percentile

CWECWE 89VNDPodloveTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-06
2024-02-06 01:15Z
HIGH

CVE-2023-46360 — Hardy-barth Cph2_echarge_firmware: Hardy Barth cPH2 eCharge Ladestation v1.87.0 and earlier is vulnerable to Execution with Unnecessary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-46360

Hardy Barth cPH2 eCharge Ladestation v1.87.0 and earlier is vulnerable to Execution with Unnecessary Privileges. CVSSv3.1 8.8 (HIGH) · EPSS 85th percentile

CWECWE 250VNDHardy BarthVNDHardyTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2024-02-06
2024-02-06 01:15Z
CRIT

CVE-2023-46359 — Hardy-barth Cph2_echarge_firmware: An OS command injection vulnerability in Hardy Barth cPH2 eCharge Ladestation v1.87.0 and earlier

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-46359

An OS command injection vulnerability in Hardy Barth cPH2 eCharge Ladestation v1.87.0 and earlier, may allow an unauthenticated remote attacker to execute arbitrary commands on the system via a specifically crafted arguments passed to the connectivity check feature. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile

CWECWE 78VNDHardy BarthTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2024-02-06
2024-02-06 00:15Z
CRIT

CVE-2024-24398 — Stimulsoft Dashboards.php: Directory Traversal vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-24398

Directory Traversal vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the fileName parameter of the Save function. CVSSv3.1 9.8 (CRITICAL) · EPSS 81th percentile

CWECWE 22VNDStimulsoftTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2024-02-05
2024-02-05 22:16Z
MED

CVE-2024-1210 — Learndash Learndash: The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1210

The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via API. This makes it possible for unauthenticated attackers to obtain access to quizzes. CVSSv3.1 5.3 (MEDIUM) · EPSS 96th percentile

CWECWE 200VNDLearndashTYPVulnerability
5.3
CVSS v3.1
84
Edit Score
2024-02-05
2024-02-05 22:16Z
MED

CVE-2024-1209 — Learndash Learndash: The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1209

The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.1 via direct file access due to insufficient protection of uploaded assignments. This makes it possible for unauthenticated attackers to obtain those uploads. CVSSv3.1 5.3 (MEDIUM) · EPSS 98th percentile

CWECWE 200VNDLearndashTYPVulnerability
5.3
CVSS v3.1
91
Edit Score
2024-02-05
2024-02-05 22:16Z
MED

CVE-2024-1208 — Learndash Learndash: The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1208

The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions. CVSSv3.1 5.3 (MEDIUM) · EPSS 99th percentile

CWECWE 200VNDLearndashTYPVulnerability
5.3
CVSS v3.1
100
Edit Score
2024-02-05
2024-02-05 22:16Z
HIGH

CVE-2024-1072 — Seedprod Website_builder_by_seedprod: The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1072

The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the seedprod_lite_new_lpage function in all versions up to, and including, 6.15.21. This makes it possible for unauthenticated attackers to change the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin. Version 6.15.22 addresses CVSSv3.1 8.2 (HIGH) · EPSS 44th percentile

CWECWE 862VNDSeedprodTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2024-02-05
2024-02-05 22:16Z
HIGH

CVE-2024-0869 — Connekthq Instant_images_-_one_click_unsplash_uploads: The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0869

The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the instant-images/license REST API endpoint in all versions up to, and including, 6.1.0. This makes it possible for authors and higher to update arbitrary options. CVE-2024-33569 appears to be a duplicate of CVSSv3.1 8.8 (HIGH) · EPSS 60th percentile

CWECWE 862VNDConnekthqVNDInstantTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-05
2024-02-05 22:16Z
HIGH

CVE-2024-0761 — Filemanagerpro File_manager: The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0761

The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a timestamp plus 4 random digits. This makes it possible for unauthenticated attackers, to extract sensitive data including site backups in configurations where the .htaccess file in the directory does not block access. CVSSv3.1 8.1 (HIGH) · EPSS 63th percentile

CWECWE 330VNDFilemanagerproTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-02-05
2024-02-05 22:16Z
MED

CVE-2024-0509 — Hwk Wp_404_auto_redirect_to_similar_post: The WP 404 Auto Redirect to Similar Post plugin for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0509

The WP 404 Auto Redirect to Similar Post plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘request’ parameter in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVSSv3.1 6.1 (MEDIUM) · EPSS 97th percentile

CWECWE 79VNDHwkVNDAutoTYPVulnerability
6.1
CVSS v3.1
91
Edit Score
2024-02-05
2024-02-05 22:15Z
HIGH

CVE-2024-0324 — Cozmoslabs Profile_builder: The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0324

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles. CVSSv3.1 8.2 (HIGH) · EPSS 97th percentile

CWECWE 862CWECWE 284VNDCozmoslabsTYPVulnerability
8.2
CVSS v3.1
100
Edit Score
2024-02-05
2024-02-05 22:15Z
CRIT

CVE-2024-0221 — 10web Photo_gallery: The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0221

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.8.19 via the rename_item function. This makes it possible for authenticated attackers to rename arbitrary files on the server. This can lead to site takeovers if the wp-config.php file of a site can be renamed. By default this can be exploited by administrators only. In the premium version of the plugin, administrators ca CVSSv3.1 9.1 (CRITICAL) · EPSS 81th percentile

CWECWE 22VND10webTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2024-02-05
2024-02-05 22:15Z
HIGH

CVE-2023-6996 — Vegacorp Display_custom_fields_in_the_frontend_-_post_and_user_profile_fi: The Display custom fields in the frontend – Post and User Profile Fields plugin

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6996

The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Code Injection via the plugin's vg_display_data shortcode in all versions up to, and including, 1.2.1 due to insufficient input validation and restriction on access to that shortcode. This makes it possible for authenticated attackers with contributor-level and above permissions to call arbitrary functions and execute code. CVSSv3.1 8.8 (HIGH) · EPSS 76th percentile

CWECWE 94VNDVegacorpVNDDisplayTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-02-05
2024-02-05 22:15Z
CRIT

CVE-2023-6989 — Getshieldsecurity Shield_security: The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6989

The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files. CVSSv3.1 9.8 (CRITICAL) · EPSS 99th percentile

CWECWE 98CWECWE 22VNDGetshieldsecurityVNDShieldTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2024-02-05
2024-02-05 22:15Z
HIGH

CVE-2023-6933 — Wpengine Better_search_replace: The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6933

The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute c CVSSv3.1 8.8 (HIGH) · EPSS 100th percentile

CWECWE 502VNDWpengineVNDBetterTYPVulnerability
8.8
CVSS v3.1
100
Edit Score