2023-11-22
2023-11-22 16:15Z
HIGH

CVE-2023-5815 — Infornweb News_\&_blog_designer_pack: The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-5815

The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including, 3.4.1 via the bdp_get_more_post function hooked via a nopriv AJAX. This is due to function utilizing an unsafe extract() method to extract values from the POST variable and passing that input to the include() CVSSv3.1 8.1 (HIGH) · EPSS 98th percentile

CWECWE 98VNDInfornwebTYPVulnerability
8.1
CVSS v3.1
100
Edit Score
2023-11-22
2023-11-22 16:15Z
HIGH

CVE-2023-5466 — Gopiplus Wp_anything_slider: The Wp anything slider plugin for WordPress is vulnerable to SQL Injection via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-5466

The Wp anything slider plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the d CVSSv3.1 8.8 (HIGH) · EPSS 63th percentile

CWECWE 89VNDGopiplusTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-11-22
2023-11-22 16:15Z
HIGH

CVE-2023-5465 — Gopiplus Popup_with_fancybox: The Popup with fancybox plugin for WordPress is vulnerable to SQL Injection via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-5465

The Popup with fancybox plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the CVSSv3.1 8.8 (HIGH) · EPSS 57th percentile

CWECWE 89VNDGopiplusTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-11-22
2023-11-22 16:15Z
HIGH

CVE-2023-2497 — Userproplugin Userpro: The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2497

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'import_settings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to the use of unserialize() on the user supplied parameter via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 40th percentile

CWECWE 352VNDUserpropluginVNDUserproTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-11-22
2023-11-22 16:15Z
CRIT

CVE-2023-2449 — Userproplugin Userpro: The UserPro plugin for WordPress is vulnerable to unauthorized password resets in versions up

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2449

The UserPro plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 5.1.1. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (userpro_process_form). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-2448 and CVE-2023-2446, CVSSv3.1 9.8 (CRITICAL) · EPSS 70th percentile

CWECWE 620VNDUserpropluginVNDUserproTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-11-22
2023-11-22 16:15Z
HIGH

CVE-2023-2440 — Userproplugin Userpro: The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2440

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing nonce validation in the 'admin_page', 'userpro_verify_user' and 'verifyUnverifyAllUsers' functions. This makes it possible for unauthenticated attackers to modify the role of verified users to elevate verified user privileges to that of any user such as 'administrator' via a forged request granted they can trick a site administrator into CVSSv3.1 8.8 (HIGH) · EPSS 31th percentile

CWECWE 352VNDUserpropluginVNDUserproTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-11-22
2023-11-22 16:15Z
CRIT

CVE-2023-2437 — Userproplugin Userpro: The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2437

The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.1. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. An attacker can leverage CVE-2023-2448 and CVE-2023-2446 to get the user's email address to succes CVSSv3.1 9.8 (CRITICAL) · EPSS 99th percentile

CWECWE 288CWECWE 287VNDUserpropluginVNDUserproTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
728 × 90 / responsive · programmatic ad slot
2023-11-22
2023-11-22 14:15Z
CRIT

CVE-2023-2889 — Veom Service_tracking: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2889

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Veon Computer Service Tracking Software allows SQL Injection.This issue affects Service Tracking Software: before crm 2.0. CVSSv3.1 9.8 (CRITICAL)

CWECWE 89VNDVeomTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-11-22
2023-11-22 12:15Z
CRIT

CVE-2023-5047 — Drd Drdrive: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-5047

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in DRD Fleet Leasing DRDrive allows SQL Injection. This issue affects DRDrive: before 20231006. CVSSv3.1 9.8 (CRITICAL) · EPSS 33th percentile

CWECWE 89VNDDrdTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-11-20
2023-11-20 15:15Z
HIGH

CVE-2023-6196 — Myaudiomerchant Audio_merchant: The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6196

The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validation on the function audio_merchant_add_audio_file function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 31th percentile

CWECWE 352VNDMyaudiomerchantVNDAudioTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-11-18
2023-11-18 15:45Z
INFO

v1.1.0

NetExec releases·github.com

NetExec v1.1.0 release includes new capabilities for S4U abuse automation, enhanced SSH/WinRM/FTP protocol support, schtask module for user impersonation, and significant code cleanup via linting. The release adds post-exploitation functionality improvements and fixes multiple bugs across protocol handlers and credential management.

SRFOsTACTA0002SRFNetworkTACTA0008VNDNetexecTYPToolSTGExecutionSTGCred Access
62
Edit Score
2023-11-18
2023-11-18 02:15Z
HIGH

CVE-2023-6187 — Strangerstudios Paid_memberships_pro: The Paid Memberships Pro plugin for WordPress is vulnerable to arbitrary file uploads due

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6187

The Paid Memberships Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'pmpro_paypalexpress_session_vars_for_user_fields' function in versions up to, and including, 2.12.3. This makes it possible for authenticated attackers with subscriber privileges or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if 2Checkout (deprecated since CVSSv3.1 7.5 (HIGH) · EPSS 96th percentile

CWECWE 434VNDStrangerstudiosVNDPaidTYPVulnerability
7.5
CVSS v3.1
94
Edit Score
2023-11-18
2023-11-18 02:15Z
HIGH

CVE-2023-4214 — Apppresser Apppresser: The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-4214

The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. CVSSv3.1 8.1 (HIGH) · EPSS 59th percentile

CWECWE 620CWECWE 640VNDApppresserTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2023-11-14
2023-11-14 18:15Z
HIGH

CVE-2023-36424 — Microsoft Windows_10_1507: Windows Common Log File System Driver Elevation of Privilege Vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-36424in the wild

Windows Common Log File System Driver Elevation of Privilege Vulnerability CVSSv3.1 7.8 (HIGH) · EPSS 92th percentile

CWECWE 125VNDMicrosoftTYPVulnerabilitySTAitw exploited
7.8
CVSS v3.1
91
Edit Score
2023-11-14
2023-11-14 11:15Z
CRIT

CVE-2023-44373 — Siemens 6gk5205-3bb00-2ab2_firmware: This could allow an authenticated remote attacker with administrative privileges to inject code or

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-44373

Affected devices do not properly sanitize an input field. This could allow an authenticated remote attacker with administrative privileges to inject code or spawn a system root shell. Follow-up of CVE-2022-36323. CVSSv3.1 9.1 (CRITICAL) · EPSS 68th percentile

CWECWE 74VNDSiemensTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2023-11-11
2023-11-11 01:15Z
CRIT

CVE-2023-46850 — Openvpn Openvpn: Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-46850

Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer. CVSSv3.1 9.8 (CRITICAL) · EPSS 78th percentile

CWECWE 416VNDOpenvpnVNDFedoraprojectTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-11-07
2023-11-07 16:15Z
CRIT

CVE-2023-47359 — Videolan Vlc_media_player: VLC prior to version 3.0.20 contains an incorrect offset read that leads to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-47359

Videolan VLC prior to version 3.0.20 contains an incorrect offset read that leads to a Heap-Based Buffer Overflow in function GetPacket() and results in a memory corruption. CVSSv3.1 9.8 (CRITICAL) · EPSS 37th percentile

CWECWE 787VNDVideolanTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-11-07
2023-11-07 16:15Z
MED

CVE-2023-41425 — Wondercms Wondercms: Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-41425

Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component. CVSSv3.1 6.1 (MEDIUM) · EPSS 99th percentile

CWECWE 79VNDWondercmsTYPVulnerability
6.1
CVSS v3.1
97
Edit Score
2023-11-07
2023-11-07 12:15Z
HIGH

CVE-2023-5709 — Web-dorado Wd_widgettwitter: The WD WidgetTwitter plugin for WordPress is vulnerable to SQL Injection via the plugin's

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-5709

The WD WidgetTwitter plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the CVSSv3.1 8.8 (HIGH) · EPSS 45th percentile

CWECWE 89VNDWeb DoradoVNDWidgettwitterTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-11-06
2023-11-06 10:15Z
HIGH

CVE-2023-46084 — Bplugins Icons_font_loader: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-46084

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bPlugins LLC Icons Font Loader allows SQL Injection.This issue affects Icons Font Loader: from n/a through 1.1.2. CVSSv3.1 8.5 (HIGH) · EPSS 43th percentile

CWECWE 89VNDBpluginsTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2023-11-06
2023-11-06 09:15Z
HIGH

CVE-2023-45657 — Posimyth Nexter: A vulnerability in posimyththemes Nexter nexter.This issue affects Nexter: from n/a through <= 2.0.3.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-45657

A vulnerability in posimyththemes Nexter nexter.This issue affects Nexter: from n/a through <= 2.0.3. CVSSv3.1 8.5 (HIGH) · EPSS 94th percentile

CWECWE 89VNDPosimythVNDNexterTYPVulnerability
8.5
CVSS v3.1
96
Edit Score
2023-11-06
2023-11-06 09:15Z
HIGH

CVE-2023-45074 — Pagevisitcounter Advanced_page_visit_counter: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-45074

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Page Visit Counter Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress allows SQL Injection.This issue affects Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress: from n/a through 7.1.1. CVSSv3.1 8.5 (HIGH)

CWECWE 89VNDPagevisitcounterTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2023-11-06
2023-11-06 09:15Z
HIGH

CVE-2023-45055 — Inspireui Mstore_api: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-45055

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InspireUI MStore API allows SQL Injection.This issue affects MStore API: from n/a through 4.0.6. CVSSv3.1 8.5 (HIGH) · EPSS 43th percentile

CWECWE 89VNDInspireuiTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2023-11-06
2023-11-06 09:15Z
HIGH

CVE-2023-45001 — Castos Seriously_simple_stats: A vulnerability in Craig Hewitt Seriously Simple Stats seriously-simple-stats.This issue affects Seriously Simple Stats

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-45001

A vulnerability in Craig Hewitt Seriously Simple Stats seriously-simple-stats.This issue affects Seriously Simple Stats: from n/a through <= 1.5.0. CVSSv3.1 8.5 (HIGH) · EPSS 43th percentile

CWECWE 89VNDCastosVNDCraigTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2023-11-06
2023-11-06 09:15Z
HIGH

CVE-2023-40609 — Rocklobster Contact_form_7_custom_validation: A vulnerability in aiyaz Khorajia Contact form 7 Custom validation cf7-field-validation.This issue affects Contact

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-40609

A vulnerability in aiyaz Khorajia Contact form 7 Custom validation cf7-field-validation.This issue affects Contact form 7 Custom validation: from n/a through <= 1.1.3. CVSSv3.1 8.2 (HIGH) · EPSS 43th percentile

CWECWE 89VNDRocklobsterVNDKhorajiaTYPVulnerability
8.2
CVSS v3.1
91
Edit Score