Vulnerabilities
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-12 | CVE-2024-2010 | Cross-site Scripting vulnerability in Tebilisim V5 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in TE Informatics V5 allows Reflected XSS.This issue affects V5: before 6.2. | 6.1 |
| 2024-09-12 | CVE-2024-8522 | SQL Injection vulnerability in Thimpress Learnpress The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 7.5 |
| 2024-09-12 | CVE-2024-8529 | SQL Injection vulnerability in Thimpress Learnpress The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_fields' parameter of the /wp-json/lp/v1/courses/archive-course REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 7.5 |
| 2024-09-12 | CVE-2024-8622 | Cross-site Scripting vulnerability in Amcharts Amcharts: Charts and Maps The amCharts: Charts and Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'amcharts_javascript' parameter in all versions up to, and including, 1.4.4 due to the ability to supply arbitrary JavaScript a lack of nonce validation on the preview functionality. | 6.1 |
| 2024-09-12 | CVE-2024-3163 | Cross-Site Request Forgery (CSRF) vulnerability in Realestateconnected Easy Property Listings The Easy Property Listings WordPress plugin before 3.5.4 does not have CSRF check when deleting contacts in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack | 4.3 |
| 2024-09-12 | CVE-2024-5799 | Cross-site Scripting vulnerability in Cminds CM Popup The CM Pop-Up Banners for WordPress plugin before 1.7.3 does not sanitise and escape some of its popup fields, which could allow high privilege users such as Contributors to perform Cross-Site Scripting attacks. | 4.8 |
| 2024-09-12 | CVE-2024-6017 | Cross-Site Request Forgery (CSRF) vulnerability in Scriptonite Music Request Manager The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | 6.1 |
| 2024-09-12 | CVE-2024-6018 | Cross-site Scripting vulnerability in Scriptonite Music Request Manager The Music Request Manager WordPress plugin through 1.3 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | 6.1 |
| 2024-09-12 | CVE-2024-6019 | Cross-site Scripting vulnerability in Scriptonite Music Request Manager The Music Request Manager WordPress plugin through 1.3 does not sanitise and escape incoming music requests, which could allow unauthenticated users to perform Cross-Site Scripting attacks against administrators | 6.1 |
| 2024-09-12 | CVE-2024-6887 | Cross-site Scripting vulnerability in Seedprod Rafflepress The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |