Vulnerabilities
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-01-22 | CVE-2024-13406 | Cross-site Scripting vulnerability in Icopydoc XML for Google Merchant Center The XML for Google Merchant Center plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'feed_id' parameter in all versions up to, and including, 3.0.11 due to insufficient input sanitization and output escaping. | 6.1 |
| 2025-01-22 | CVE-2024-12879 | Missing Authorization vulnerability in Quantumcloud Wpot The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'qc_wp_latest_update_check_pro' function in all versions up to, and including, 13.5.5. | 4.3 |
| 2025-01-22 | CVE-2024-13584 | Cross-site Scripting vulnerability in Videowhisper Picture Gallery The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_pictures' shortcode in all versions up to, and including, 1.5.19 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
| 2025-01-22 | CVE-2024-13590 | Cross-site Scripting vulnerability in Ayecode Ketchup Shortcodes The Ketchup Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spacer' shortcode in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
| 2025-01-22 | CVE-2024-13426 | SQL Injection vulnerability in Wp-Polls Project Wp-Polls The WP-Polls plugin for WordPress is vulnerable to SQL Injection via COOKIE in all versions up to, and including, 2.77.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 5.3 |
| 2025-01-22 | CVE-2024-13091 | Unrestricted Upload of File with Dangerous Type vulnerability in Wpbot Wpot The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and including, 13.5.4. | 9.8 |
| 2025-01-21 | CVE-2023-37024 | Reachable Assertion vulnerability in Linuxfoundation Magma A reachable assertion in the Mobile Management Entity (MME) of Magma versions <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows remote attackers to crash the MME with an unauthenticated cellphone by sending a NAS packet containing an `Emergency Number List` Information Element. | 7.5 |
| 2025-01-21 | CVE-2023-37025 | NULL Pointer Dereference vulnerability in Linuxfoundation Magma A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `Reset` packet missing an expected `ResetType` field. | 6.5 |
| 2025-01-21 | CVE-2023-37026 | NULL Pointer Dereference vulnerability in Linuxfoundation Magma A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `E-RAB Release Response` packet missing an expected `MME_UE_S1AP_ID` field. | 6.5 |
| 2025-01-21 | CVE-2023-37027 | NULL Pointer Dereference vulnerability in Linuxfoundation Magma Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `E-RAB Modification Indication` packet missing an expected `eNB_UE_S1AP_ID` field. | 6.5 |