Vulnerabilities

DATE CVE VULNERABILITY TITLE RISK
2025-01-22 CVE-2024-13447 Missing Authorization vulnerability in Thimpress WP Hotel Booking
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and including, 2.1.6.
network
low complexity
thimpress CWE-862
4.3
2025-01-22 CVE-2024-13495 Code Injection vulnerability in Gamipress
The The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via the gamipress_ajax_get_logs() function in all versions up to, and including, 7.2.1.
network
low complexity
gamipress CWE-94
7.3
2025-01-22 CVE-2024-13496 Unspecified vulnerability in Gamipress
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
network
low complexity
gamipress
7.5
2025-01-22 CVE-2024-13499 Code Injection vulnerability in Gamipress
The The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipress_do_shortcode() function in all versions up to, and including, 7.2.1.
network
low complexity
gamipress CWE-94
7.3
2025-01-22 CVE-2022-23439 Externally Controlled Reference to a Resource in Another Sphere vulnerability in Fortinet products
A externally controlled reference to a resource in another sphere in Fortinet FortiManager before version 7.4.3, FortiMail before version 7.0.3, FortiAnalyzer before version 7.4.3, FortiVoice version 7.0.0, 7.0.1 and before 6.4.8, FortiProxy before version 7.0.4, FortiRecorder version 6.4.0 through 6.4.2 and before 6.0.10, FortiAuthenticator version 6.4.0 through 6.4.1 and before 6.3.3, FortiNDR version 7.2.0 before 7.1.0, FortiWLC before version 8.6.4, FortiPortal before version 6.0.9, FortiOS version 7.2.0 and before 7.0.5, FortiADC version 7.0.0 through 7.0.1 and before 6.2.3 , FortiDDoS before version 5.5.1, FortiDDoS-F before version 6.3.3, FortiTester before version 7.2.1, FortiSOAR before version 7.2.2 and FortiSwitch before version 6.3.3 allows attacker to poison web caches via crafted HTTP requests, where the `Host` header points to an arbitrary webserver
network
low complexity
fortinet CWE-610
6.1
2025-01-22 CVE-2024-13319 Cross-site Scripting vulnerability in Themify Builder
The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.5.
network
low complexity
themify CWE-79
6.1
2025-01-22 CVE-2024-13360 Server-Side Request Forgery (SSRF) vulnerability in Aipower
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.8.96 via the wpaicg_troubleshoot_add_vector().
network
low complexity
aipower CWE-918
5.4
2025-01-22 CVE-2024-13361 Missing Authorization vulnerability in Aipower
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicg_save_image_media function in all versions up to, and including, 1.8.96.
network
low complexity
aipower CWE-862
8.8
2025-01-22 CVE-2025-0428 Deserialization of Untrusted Data vulnerability in Aipower
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_prompts function.
network
low complexity
aipower CWE-502
7.2
2025-01-22 CVE-2025-0429 Deserialization of Untrusted Data vulnerability in Aipower
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_ai_forms() function.
network
low complexity
aipower CWE-502
7.2