2023-07-13
2023-07-13 03:15Z
HIGH

CVE-2023-3343 — Wpeverest User_registration: The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3343

The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to del CVSSv3.1 8.8 (HIGH) · EPSS 71th percentile

CWECWE 502VNDWpeverestTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-07-13
2023-07-13 03:15Z
CRIT

CVE-2023-3342 — Wpeverest User_registration: The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3342

The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the 'ur_upload_profile_pic' function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and ful CVSSv3.1 9.9 (CRITICAL) · EPSS 91th percentile

CWECWE 434VNDWpeverestTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2023-07-12
2023-07-12 13:15Z
CRIT

CVE-2023-33668 — Digiexam Digiexam: up to v14.0.2 lacks integrity checks for native modules, allowing attackers to access

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33668

DigiExam up to v14.0.2 lacks integrity checks for native modules, allowing attackers to access PII and takeover accounts on shared computers. CVSSv3.1 9.8 (CRITICAL) · EPSS 34th percentile

CWECWE 354VNDDigiexamTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-12
2023-07-12 05:15Z
HIGH

CVE-2023-3105 — Learndash Learndash: The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3105

The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with with existing account access at any level, to change user passwords and potentially take over administrator accounts. CVSSv3.1 8.8 (HIGH) · EPSS 18th percentile

CWECWE 639VNDLearndashTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-07-11
2023-07-11 18:15Z
CRIT

CVE-2023-33150 — Microsoft 365_apps: Office Security Feature Bypass Vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33150

Microsoft Office Security Feature Bypass Vulnerability CVSSv3.1 9.6 (CRITICAL) · EPSS 42th percentile

CWECWE 693VNDMicrosoftTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2023-07-10
2023-07-10 16:15Z
HIGH

CVE-2023-3271 — Sick Icr890-4_firmware: Improper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3271

Improper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to gather information about the system and download data via the REST API by accessing unauthenticated endpoints. CVSSv3.1 8.2 (HIGH) · EPSS 44th percentile

CWECWE 284VNDAccessVNDSickTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2023-07-10
2023-07-10 16:15Z
CRIT

CVE-2023-3045 — Tise Parking_web_report: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3045

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tise Technology Parking Web Report allows SQL Injection.This issue affects Parking Web Report: before 2.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDTiseTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2023-07-10
2023-07-10 16:15Z
CRIT

CVE-2023-2852 — Softmedyazilim Selfpatron: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2852

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Softmed SelfPatron allows SQL Injection.This issue affects SelfPatron : before 2.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDSoftmedyazilimTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-10
2023-07-10 16:15Z
CRIT

CVE-2023-2046 — Yontemizleme Vehicle_tracking_system: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2046

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yontem Informatics Vehicle Tracking System allows SQL Injection.This issue affects Vehicle Tracking System: before 8. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDYontemizlemeTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-05
2023-07-05 03:15Z
HIGH

CVE-2022-42175 — Soluslabs Solusvm: Insecure Direct Object Reference vulnerability in WHMCS module SolusVM 1 4.1.2 allows an attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-42175

Insecure Direct Object Reference vulnerability in WHMCS module SolusVM 1 4.1.2 allows an attacker to change the password and hostname of other customer servers without authorization. CVSSv3.1 8.8 (HIGH) · EPSS 45th percentile

CWECWE 639VNDDirectVNDSoluslabsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-07-01
2023-07-01 06:15Z
HIGH

CVE-2021-4401 — Analogwp Style_kits: The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-4401

The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.0. This is due to missing or incorrect nonce validation on the update_posts_stylekit() function. This makes it possible for unauthenticated attackers to update style kits for posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 51th percentile

CWECWE 352VNDAnalogwpVNDStyleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-06-30
2023-06-30 23:15Z
HIGH

CVE-2023-36144 — Intelbras Sg_2404_mr_firmware: An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-36144

An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an unauthenticated attacker to download the backup file of the device, exposing critical information about the device configuration. CVSSv3.1 7.5 (HIGH) · EPSS 98th percentile

CWECWE 862VNDIntelbrasTYPVulnerability
7.5
CVSS v3.1
99
Edit Score
2023-06-30
2023-06-30 16:15Z
HIGH

CVE-2023-35178 — Hp W1a75a_firmware: Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow when performing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-35178

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow when performing a GET request to scan jobs. CVSSv3.1 8.8 (HIGH) · EPSS 31th percentile

CWECWE 120VNDHpVNDCertainTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-06-30
2023-06-30 16:15Z
HIGH

CVE-2023-35177 — Hp W1a75a_firmware: Certain HP LaserJet Pro print products are potentially vulnerable to a stack-based buffer overflow

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-35177

Certain HP LaserJet Pro print products are potentially vulnerable to a stack-based buffer overflow related to the compact font format parser. CVSSv3.1 8.8 (HIGH) · EPSS 29th percentile

CWECWE 787VNDHpVNDCertainTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-06-30
2023-06-30 16:15Z
HIGH

CVE-2023-35176 — Hp W1a75a_firmware: Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Denial

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-35176

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Denial of Service when using the backup & restore feature through the embedded web service on the device. CVSSv3.1 8.8 (HIGH) · EPSS 36th percentile

CWECWE 120VNDHpVNDCertainTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-06-30
2023-06-30 16:15Z
CRIT

CVE-2023-35175 — Hp W1a75a_firmware: Certain HP LaserJet Pro print products are potentially vulnerable to Potential Remote Code Execution

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-35175

Certain HP LaserJet Pro print products are potentially vulnerable to Potential Remote Code Execution and/or Elevation of Privilege via Server-Side Request Forgery (SSRF) using the Web Service Eventing model. CVSSv3.1 9.8 (CRITICAL) · EPSS 76th percentile

CWECWE 918VNDHpVNDCertainTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-06-30
2023-06-30 02:15Z
CRIT

CVE-2023-3249 — Miniorange Web3_-_crypto_wallet_login_\&_nft_token_gating: The Web3 – Crypto wallet Login & NFT token gating plugin for WordPress is

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3249

The Web3 – Crypto wallet Login & NFT token gating plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.6.0. This is due to incorrect authentication checking in the 'hidden_form_data' function. This makes it possible for authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username. CVSSv3.1 9.8 (CRITICAL) · EPSS 37th percentile

CWECWE 288VNDMiniorangeVNDWeb3TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-06-30
2023-06-30 02:15Z
HIGH

CVE-2023-3063 — Smartypantsplugins Sp_project_\&_document_manager: The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3063

The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber privileges or above, to change user passwords and potentially take over administrator accounts. CVSSv3.1 8.8 (HIGH) · EPSS 19th percentile

CWECWE 639VNDSmartypantspluginsVNDProjectTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-06-30
2023-06-30 02:15Z
CRIT

CVE-2023-2834 — Stylemixthemes Bookit: The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2834

The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. CVSSv3.1 9.8 (CRITICAL) · EPSS 64th percentile

CWECWE 288CWECWE 306VNDStylemixthemesVNDBookitTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-06-30
2023-06-30 01:15Z
HIGH

CVE-2023-36143 — Maxprintisp Maxlink_1200g_firmware: Maxprint Maxlink 1200G v3.4.11E has an OS command injection vulnerability in the "Diagnostic tool"

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-36143

Maxprint Maxlink 1200G v3.4.11E has an OS command injection vulnerability in the "Diagnostic tool" functionality of the device. CVSSv3.1 8.8 (HIGH) · EPSS 82th percentile

CWECWE 78VNDMaxprintispVNDMaxprintTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2023-06-29
2023-06-29 02:15Z
CRIT

CVE-2023-2982 — Miniorange Wordpress_social_login_and_register_\(discord\,_google\,_twitter: The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2982

The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was p CVSSv3.1 9.8 (CRITICAL) · EPSS 99th percentile

CWECWE 288VNDWordpressVNDMiniorangeTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-06-24
2023-06-24 03:15Z
HIGH

CVE-2023-3388 — Beautiful-cookie-banner Beautiful_cookie_consent_banner: The Beautiful Cookie Consent Banner for WordPress is vulnerable to Stored Cross-Site Scripting via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3388

The Beautiful Cookie Consent Banner for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nsc_bar_content_href' parameter in versions up to, and including, 2.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A partial patch was made available in 2.10.1 and the issue was fully patched in 2.10.2. CVSSv3.1 7.2 (HIGH) · EPSS 99th percentile

CWECWE 79VNDBeautiful Cookie BannerVNDBeautifulTYPVulnerability
7.2
CVSS v3.1
100
Edit Score
2023-06-24
2023-06-24 03:15Z
CRIT

CVE-2023-3197 — Inspireui Mstore_api: The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3197

The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. CVSSv3.1 9.8 (CRITICAL) · EPSS 97th percentile

CWECWE 89VNDInspireuiVNDMstoreTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-06-23
2023-06-23 19:15Z
HIGH

CVE-2023-34672 — Elenos Etg150_firmware: Improper Access Control leads to adding a high-privilege user affecting Elenos ETG150 FM transmitter

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-34672

Improper Access Control leads to adding a high-privilege user affecting Elenos ETG150 FM transmitter running on version 3.12 by exploiting user's role within the admin profile. An attack could occur over the public Internet in some cases. CVSSv3.1 8.8 (HIGH) · EPSS 51th percentile

CWECWE 281VNDAccessVNDElenosTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-06-23
2023-06-23 18:15Z
HIGH

CVE-2023-34671 — Elenos Etg150_fm_firmware: Improper Access Control leads to privilege escalation affecting Elenos ETG150 FM transmitter running on

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-34671

Improper Access Control leads to privilege escalation affecting Elenos ETG150 FM transmitter running on version 3.12 by exploiting user's role in the user profile. An attack could occur over the public Internet in some cases. CVSSv3.1 8.8 (HIGH) · EPSS 55th percentile

VNDAccessVNDElenosTYPVulnerability
8.8
CVSS v3.1
94
Edit Score