Vulnerabilities > Medium

DATE CVE VULNERABILITY TITLE RISK
2025-02-14 CVE-2024-56477 IBM Power Hardware Management Console V10.3.1050.0 could allow an authenticated user to traverse directories on the system.
network
low complexity
CWE-22
6.5
6.5
2025-02-14 CVE-2024-13791 Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the downloadResponseFile() function.
network
low complexity
CWE-23
4.9
4.9
2025-02-14 CVE-2025-0821 Bit Assist plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
network
low complexity
CWE-89
6.5
6.5
2025-02-14 CVE-2024-13735 The HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.11.2 due to insufficient input sanitization and output escaping of a campaign name.
network
low complexity
CWE-79
6.4
6.4
2025-02-14 CVE-2024-9601 The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ and 'UniqueID' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.5
6.5
2025-02-14 CVE-2024-13641 The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.5 via the 'attachment' directory.
network
high complexity
CWE-200
5.9
5.9
2025-02-14 CVE-2024-13692 The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user controlled key.
network
low complexity
CWE-285
5.4
5.4
2025-02-13 CVE-2024-13867 Cross-site Scripting vulnerability in Tangiblewp Listivo
The Listivo - Classified Ads WordPress Theme theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 2.3.67 due to insufficient input sanitization and output escaping.
network
low complexity
tangiblewp CWE-79
6.1
6.1
2025-02-13 CVE-2024-13639 Missing Authorization vulnerability in Edmonsoft Read More & Accordion
The Read More & Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in all versions up to, and including, 3.4.2.
network
low complexity
edmonsoft CWE-862
4.3
4.3
2025-02-13 CVE-2025-0661 The DethemeKit For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the duplicate_post() function due to insufficient restrictions on which posts can be duplicated.
network
low complexity
CWE-639
4.3
4.3