Weekly Vulnerabilities Reports > June 17 to 23, 2024
Overview
165 new vulnerabilities reported during this period, including 13 critical vulnerabilities and 43 high severity vulnerabilities. This weekly summary report vulnerabilities in 97 products from 95 vendors including Linux, Opencart, Health Care Hospital Management System Project, Google, and Tessi. Vulnerabilities are notably categorized as "Cross-site Scripting", "Cross-Site Request Forgery (CSRF)", "Missing Authorization", "SQL Injection", and "Path Traversal".
- 157 reported vulnerabilities are remotely exploitables.
- 80 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 66 reported vulnerabilities are exploitable by an anonymous user.
- Linux has the most reported vulnerabilities, with 6 reported vulnerabilities.
- Icegram has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
13 Critical Vulnerabilities
43 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2024-06-21 | CVE-2024-35778 | Slideshow SE Project | Path Traversal vulnerability in Slideshow SE Project Slideshow SE Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in John West Slideshow SE PHP Local File Inclusion.This issue affects Slideshow SE: from n/a through 2.5.17. | 8.8 |
2024-06-21 | CVE-2022-43453 | Billminozzi | Missing Authorization vulnerability in Billminozzi WP Tools Missing Authorization vulnerability in Bill Minozzi WP Tools.This issue affects WP Tools: from n/a through 3.41. | 8.8 |
2024-06-21 | CVE-2022-45803 | Gutenbergforms | Missing Authorization vulnerability in Gutenbergforms Gutenberg Forms Missing Authorization vulnerability in Nikolay Strikhar WordPress Form Builder Plugin – Gutenberg Forms.This issue affects WordPress Form Builder Plugin – Gutenberg Forms: from n/a through 2.2.8.3. | 8.8 |
2024-06-21 | CVE-2023-51375 | Wpdeveloper | Missing Authorization vulnerability in Wpdeveloper Embedpress Missing Authorization vulnerability in WPDeveloper EmbedPress.This issue affects EmbedPress: from n/a through 3.8.3. | 8.8 |
2024-06-21 | CVE-2024-37118 | Uncannyowl | Cross-Site Request Forgery (CSRF) vulnerability in Uncannyowl Uncanny Automator Cross Site Request Forgery (CSRF) vulnerability in Uncanny Owl Uncanny Automator Pro.This issue affects Uncanny Automator Pro: from n/a through 5.3. | 8.8 |
2024-06-21 | CVE-2024-37198 | Blazethemes | Cross-Site Request Forgery (CSRF) vulnerability in Blazethemes Digital Newspaper Cross-Site Request Forgery (CSRF) vulnerability in blazethemes Digital Newspaper.This issue affects Digital Newspaper: from n/a through 1.1.5. | 8.8 |
2024-06-21 | CVE-2024-37212 | Ali2Woo | Cross-Site Request Forgery (CSRF) vulnerability in Ali2Woo 3.3.5 Cross-Site Request Forgery (CSRF) vulnerability in Ali2Woo Ali2Woo Lite.This issue affects Ali2Woo Lite: from n/a through 3.3.5. | 8.8 |
2024-06-21 | CVE-2024-37227 | Tribulant | Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters Cross Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters.This issue affects Newsletters: from n/a through 4.9.7. | 8.8 |
2024-06-21 | CVE-2024-37230 | Rarathemes | Cross-Site Request Forgery (CSRF) vulnerability in Rarathemes Book Landing Page Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Book Landing Page.This issue affects Book Landing Page: from n/a through 1.2.3. | 8.8 |
2024-06-21 | CVE-2024-35770 | Davekiss | Cross-Site Request Forgery (CSRF) vulnerability in Davekiss Vimeography Cross-Site Request Forgery (CSRF) vulnerability in Dave Kiss Vimeography: Vimeo Video Gallery WordPress Plugin.This issue affects Vimeography: Vimeo Video Gallery WordPress Plugin: from n/a through 2.4.1. | 8.8 |
2024-06-21 | CVE-2024-35771 | Presscustomizr | Cross-Site Request Forgery (CSRF) vulnerability in Presscustomizr Customizr Cross-Site Request Forgery (CSRF) vulnerability in presscustomizr Customizr.This issue affects Customizr: from n/a through 4.4.21. | 8.8 |
2024-06-21 | CVE-2024-35772 | Presscustomizr | Cross-Site Request Forgery (CSRF) vulnerability in Presscustomizr Hueman Cross-Site Request Forgery (CSRF) vulnerability in presscustomizr Hueman.This issue affects Hueman: from n/a through 3.7.24. | 8.8 |
2024-06-21 | CVE-2024-5455 | Posimyth | Unspecified vulnerability in Posimyth the Plus Addons for Elementor The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. | 8.8 |
2024-06-21 | CVE-2024-5503 | Codevibrant | Unspecified vulnerability in Codevibrant WP Blog Post Layouts The WP Blog Post Layouts plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.3. | 8.8 |
2024-06-20 | CVE-2024-5605 | Davidlingren | SQL Injection vulnerability in Davidlingren Media Library Assistant The Media Library Assistant plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter within the mla_tag_cloud Shortcode in all versions up to, and including, 3.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 8.8 |
2024-06-20 | CVE-2024-3561 | Custom Field Suite Project | SQL Injection vulnerability in Custom Field Suite Project Custom Field Suite The Custom Field Suite plugin for WordPress is vulnerable to SQL Injection via the the 'Term' custom field in all versions up to, and including, 2.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 8.8 |
2024-06-20 | CVE-2024-3562 | Custom Field Suite Project | Code Injection vulnerability in Custom Field Suite Project Custom Field Suite The Custom Field Suite plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.6.7 via the Loop custom field. | 8.8 |
2024-06-20 | CVE-2024-4742 | Kainelabs | SQL Injection vulnerability in Kainelabs Youzify The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the order_by shortcode attribute in all versions up to, and including, 1.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 8.8 |
2024-06-20 | CVE-2024-6100 | Type Confusion vulnerability in Google Chrome Type Confusion in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to execute arbitrary code via a crafted HTML page. | 8.8 | |
2024-06-20 | CVE-2024-6101 | Unspecified vulnerability in Google Chrome Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. | 8.8 | |
2024-06-20 | CVE-2024-6102 | Out-of-bounds Write vulnerability in Google Chrome Out of bounds memory access in Dawn in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2024-06-20 | CVE-2024-6103 | Use After Free vulnerability in Google Chrome Use after free in Dawn in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 | |
2024-06-19 | CVE-2024-6132 | The Pexels: Free Stock Photos plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'pexels_fsp_images_options_validate' function in all versions up to, and including, 1.2.2. | 8.8 | |
2024-06-19 | CVE-2024-2381 | The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. | 8.8 | |
2024-06-19 | CVE-2024-5724 | The Photo Video Gallery Master plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.3 via deserialization of untrusted input 'PVGM_all_photos_details' parameter. | 8.8 | |
2024-06-18 | CVE-2024-37802 | Health Care Hospital Management System Project | SQL Injection vulnerability in Health Care Hospital Management System Project Health Care Hospital Management System 1.0 CodeProjects Health Care hospital Management System v1.0 was discovered to contain a SQL injection vulnerability in the Patient Info module via the searvalu parameter. | 8.8 |
2024-06-18 | CVE-2024-38347 | Health Care Hospital Management System Project | SQL Injection vulnerability in Health Care Hospital Management System Project Health Care Hospital Management System 1.0 CodeProjects Health Care hospital Management System v1.0 was discovered to contain a SQL injection vulnerability in the Room Information module via the id parameter. | 8.8 |
2024-06-17 | CVE-2024-6045 | Certain models of D-Link wireless routers contain an undisclosed factory testing backdoor. | 8.8 | |
2024-06-22 | CVE-2024-21514 | Opencart | SQL Injection vulnerability in Opencart 3.0.3.9 This affects versions of the package opencart/opencart from 0.0.0. | 8.1 |
2024-06-18 | CVE-2023-5527 | Businessdirectoryplugin | Improper Neutralization of Formula Elements in a CSV File vulnerability in Businessdirectoryplugin Business Directory The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. | 8.0 |
2024-06-21 | CVE-2024-36477 | Linux | Out-of-bounds Read vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: tpm_tis_spi: Account for SPI header when allocating TPM SPI xfer buffer The TPM SPI transfer mechanism uses MAX_SPI_FRAMESIZE for computing the maximum transfer length and the size of the transfer buffer. | 7.8 |
2024-06-21 | CVE-2024-39277 | Linux | Out-of-bounds Read vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: dma-mapping: benchmark: handle NUMA_NO_NODE correctly cpumask_of_node() can be called for NUMA_NO_NODE inside do_map_benchmark() resulting in the following sanitizer report: UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28 index -1 is out of range for type 'cpumask [64][1]' CPU: 1 PID: 990 Comm: dma_map_benchma Not tainted 6.9.0-rc6 #29 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:117) ubsan_epilogue (lib/ubsan.c:232) __ubsan_handle_out_of_bounds (lib/ubsan.c:429) cpumask_of_node (arch/x86/include/asm/topology.h:72) [inline] do_map_benchmark (kernel/dma/map_benchmark.c:104) map_benchmark_ioctl (kernel/dma/map_benchmark.c:246) full_proxy_unlocked_ioctl (fs/debugfs/file.c:333) __x64_sys_ioctl (fs/ioctl.c:890) do_syscall_64 (arch/x86/entry/common.c:83) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Use cpumask_of_node() in place when binding a kernel thread to a cpuset of a particular node. Note that the provided node id is checked inside map_benchmark_ioctl(). It's just a NUMA_NO_NODE case which is not handled properly later. Found by Linux Verification Center (linuxtesting.org). | 7.8 |
2024-06-21 | CVE-2024-35537 | Tvsmotor | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Tvsmotor TVS Connect 4.6.0/5.0.0 TVS Motor Company Limited TVS Connect Android v4.6.0 and IOS v5.0.0 was discovered to insecurely handle the RSA key pair, allowing attackers to possibly access sensitive information via decryption. | 7.5 |
2024-06-21 | CVE-2022-44587 | Melapress | Information Exposure Through Log Files vulnerability in Melapress WP 2FA Insertion of Sensitive Information into Log File vulnerability in WP 2FA allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP 2FA: from n/a through 2.6.3. | 7.5 |
2024-06-21 | CVE-2024-6239 | Freedesktop Redhat | A flaw was found in the Poppler's Pdfinfo utility. | 7.5 |
2024-06-21 | CVE-2024-35776 | Exeebit | Unspecified vulnerability in Exeebit PHPinfo-Wp Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Exeebit phpinfo() WP.This issue affects phpinfo() WP: from n/a through 5.0. | 7.5 |
2024-06-21 | CVE-2024-5059 | Awplife | Unspecified vulnerability in Awplife Event Monster Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Event Management Tickets Booking.This issue affects Event Management Tickets Booking: from n/a through 1.4.0. | 7.5 |
2024-06-21 | CVE-2024-6027 | Themify | SQL Injection vulnerability in Themify Product Filter The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 7.5 |
2024-06-19 | CVE-2024-5574 | The WP Magazine Modules Lite plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.2 via the 'blockLayout' parameter. | 7.5 | |
2024-06-22 | CVE-2024-3593 | The UberMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. | 7.2 | |
2024-06-22 | CVE-2024-21518 | Opencart | Path Traversal vulnerability in Opencart This affects versions of the package opencart/opencart from 4.0.0.0. | 7.2 |
2024-06-22 | CVE-2024-21519 | Opencart | Unspecified vulnerability in Opencart 4.0.0.0/4.0.2.2 This affects versions of the package opencart/opencart from 4.0.0.0. | 7.2 |
2024-06-21 | CVE-2024-35767 | Squeeze Project | Unrestricted Upload of File with Dangerous Type vulnerability in Squeeze Project Squeeze Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Code Injection.This issue affects Squeeze: from n/a through 1.4. | 7.2 |
109 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2024-06-22 | CVE-2024-6120 | Wpneuron | Missing Authorization vulnerability in Wpneuron Sparkle Demo Importer The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. | 6.5 |
2024-06-21 | CVE-2024-35781 | Back2Nature | Path Traversal vulnerability in Back2Nature Word Balloon Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in YAHMAN Word Balloon allows PHP Local File Inclusion.This issue affects Word Balloon: from n/a through 4.21.1. | 6.5 |
2024-06-21 | CVE-2024-4382 | Wielebenwir | Cross-Site Request Forgery (CSRF) vulnerability in Wielebenwir Commonsbooking The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF attacks | 6.5 |
2024-06-21 | CVE-2024-1639 | Wpexperts | Incorrect Authorization vulnerability in Wpexperts License Manager for Woocommerce The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. | 6.5 |
2024-06-20 | CVE-2024-4565 | Advancedcustomfields | Unspecified vulnerability in Advancedcustomfields Advanced Custom Fields The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct access | 6.5 |
2024-06-20 | CVE-2024-4390 | Depicter | Improper Privilege Management vulnerability in Depicter The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to Arbitrary Nonce Generation in all versions up to, and including, 3.0.2. | 6.5 |
2024-06-20 | CVE-2024-5213 | Mintplexlabs | Exposure of Sensitive Information Through Metadata vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0/1.5.3 In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). | 6.5 |
2024-06-20 | CVE-2023-3204 | Extendthemes | Missing Authorization vulnerability in Extendthemes Materialis The Materialis theme for WordPress is vulnerable to limited arbitrary options updates in versions up to, and including, 1.1.24. | 6.5 |
2024-06-18 | CVE-2024-1634 | Startbooking | Missing Authorization vulnerability in Startbooking Scheduling Plugin - Online Booking The Scheduling Plugin – Online Booking for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cbsb_disconnect_settings' function in all versions up to, and including, 3.5.10. | 6.5 |
2024-06-17 | CVE-2024-6044 | Certain models of D-Link wireless routers have a path traversal vulnerability. | 6.5 | |
2024-06-20 | CVE-2024-5156 | The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 | |
2024-06-20 | CVE-2024-5036 | The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.5.4 due to insufficient input sanitization and output escaping. | 6.4 | |
2024-06-19 | CVE-2024-0383 | The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [wprm-recipe-instructions] and [wprm-recipe-ingredients] shortcodes in all versions up to, and including, 9.1.0 due to insufficient restrictions on the 'group_tag' attribute . | 6.4 | |
2024-06-19 | CVE-2024-4632 | The WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_upload_mimes’ function in versions up to, and including, 2.0.7 due to insufficient input sanitization and output escaping. | 6.4 | |
2024-06-19 | CVE-2024-3894 | The Photo Gallery, Images, Slider in Rbs Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an Image Title in all versions up to, and including, 3.2.19 due to insufficient input sanitization and output escaping. | 6.4 | |
2024-06-19 | CVE-2023-6692 | The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tab anchor metabox in all versions up to, and including, 3.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 | |
2024-06-19 | CVE-2024-3984 | The EmbedSocial – Social Media Feeds, Reviews and Galleries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'embedsocial_reviews' shortcode in all versions up to, and including, 1.1.29 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 | |
2024-06-19 | CVE-2024-4623 | The Blogmentor – Blog Layouts for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pagination_style’ parameter in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. | 6.4 | |
2024-06-19 | CVE-2024-4663 | The OSM Map Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. | 6.4 | |
2024-06-19 | CVE-2024-5768 | The MIMO Woocommerce Order Tracking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mimo_update_provider' function in all versions up to, and including, 1.0.2. | 6.4 | |
2024-06-18 | CVE-2024-5970 | The MaxGalleria plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's maxgallery_thumb shortcode in all versions up to, and including, 6.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 | |
2024-06-22 | CVE-2024-5596 | The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. | 6.3 | |
2024-06-19 | CVE-2024-4450 | The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.5. | 6.3 | |
2024-06-22 | CVE-2024-21517 | Opencart | Cross-site Scripting vulnerability in Opencart 4.0.0.0/4.0.2.2 This affects versions of the package opencart/opencart from 4.0.0.0. | 6.1 |
2024-06-22 | CVE-2024-5791 | Vcita | Cross-site Scripting vulnerability in Vcita Online Booking & Scheduling Calendar for Wordpress BY Vcita The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp_id' parameter in all versions up to, and including, 4.4.2 due to missing authorization checks on processAction function, as well as insufficient input sanitization and output escaping. | 6.1 |
2024-06-21 | CVE-2024-35766 | WP Pizza | Cross-site Scripting vulnerability in Wp-Pizza Wppizza Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ollybach WPPizza allows Reflected XSS.This issue affects WPPizza: from n/a through 3.18.13. | 6.1 |
2024-06-21 | CVE-2024-5859 | Vcita | Cross-site Scripting vulnerability in Vcita Online Booking & Scheduling Calendar for Wordpress BY Vcita The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘d’ parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. | 6.1 |
2024-06-21 | CVE-2024-4616 | Devnath Verma | Cross-site Scripting vulnerability in Devnath Verma Widget Bundle The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users | 6.1 |
2024-06-21 | CVE-2024-5344 | Posimyth | Cross-site Scripting vulnerability in Posimyth the Plus Addons for Elementor The The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘forgoturl’ attribute within the plugin's WP Login & Register widget in all versions up to, and including, 5.5.6 due to insufficient input sanitization and output escaping. | 6.1 |
2024-06-20 | CVE-2024-3597 | Myrecorp | Open Redirect vulnerability in Myrecorp Export WP Page to Static Html/Css 2.1.9 The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.2.2. | 6.1 |
2024-06-20 | CVE-2024-6177 | LG | Cross-site Scripting vulnerability in LG Supersign CMS Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in LG Electronics SuperSign CMS allows Reflected XSS. This issue affects SuperSign CMS: from 4.1.3 before < 4.3.1. | 6.1 |
2024-06-20 | CVE-2024-6178 | LG | Cross-site Scripting vulnerability in LG Supersign CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LG Electronics SuperSign CMS allows Reflected XSS. This issue affects SuperSign CMS: from 4.1.3 before < 4.3.1. | 6.1 |
2024-06-20 | CVE-2024-6179 | LG | Cross-site Scripting vulnerability in LG Supersign CMS Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LG Electronics SuperSign CMS allows Reflected XSS. This issue affects SuperSign CMS: from 4.1.3 before < 4.3.1. | 6.1 |
2024-06-18 | CVE-2024-37800 | Health Care Hospital Management System Project | Cross-site Scripting vulnerability in Health Care Hospital Management System Project Health Care Hospital Management System 1.0 CodeProjects Restaurant Reservation System v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Date parameter at index.php. | 6.1 |
2024-06-17 | CVE-2024-37619 | Strongshop | Cross-site Scripting vulnerability in Strongshop 1.0 StrongShop v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the spec_group_id parameter at /spec/index.blade.php. | 6.1 |
2024-06-17 | CVE-2024-37624 | Rockoa | Cross-site Scripting vulnerability in Rockoa 2.6.3 Xinhu RockOA v2.6.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the /chajian/inputChajian.php. | 6.1 |
2024-06-17 | CVE-2024-37625 | Zhimengzhel | Cross-site Scripting vulnerability in Zhimengzhel Ibarn 1.5 zhimengzhe iBarn v1.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the $search parameter at /index.php. | 6.1 |
2024-06-19 | CVE-2024-4787 | The Cost Calculator Builder PRO for WordPress is vulnerable to arbitrary email sending vulnerability in versions up to, and including, 3.1.75. | 5.8 | |
2024-06-21 | CVE-2024-36288 | Linux | Infinite Loop vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix loop termination condition in gss_free_in_token_pages() The in_token->pages[] array is not NULL terminated. | 5.5 |
2024-06-21 | CVE-2024-36481 | Linux | Improper Check for Unusual or Exceptional Conditions vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: tracing/probes: fix error check in parse_btf_field() btf_find_struct_member() might return NULL or an error via the ERR_PTR() macro. | 5.5 |
2024-06-21 | CVE-2024-38780 | Linux | Improper Locking vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: dma-buf/sw-sync: don't enable IRQ from sync_print_obj() Since commit a6aa8fca4d79 ("dma-buf/sw-sync: Reduce irqsave/irqrestore from known context") by error replaced spin_unlock_irqrestore() with spin_unlock_irq() for both sync_debugfs_show() and sync_print_obj() despite sync_print_obj() is called from sync_debugfs_show(), lockdep complains inconsistent lock state warning. Use plain spin_{lock,unlock}() for sync_print_obj(), for sync_debugfs_show() is already using spin_{lock,unlock}_irq(). | 5.5 |
2024-06-22 | CVE-2024-5965 | Wildweblab | Cross-site Scripting vulnerability in Wildweblab Mosaic The Mosaic theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme's Button shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. | 5.4 |
2024-06-22 | CVE-2024-5966 | Grey Opaque Project | Cross-site Scripting vulnerability in Grey Opaque Project Grey Opaque The Grey Opaque theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Download-Button shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. | 5.4 |
2024-06-22 | CVE-2024-2484 | Themeisle | Cross-site Scripting vulnerability in Themeisle Orbit FOX The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Services and Post Type Grid widgets in all versions up to, and including, 2.10.34 due to insufficient input sanitization and output escaping. | 5.4 |
2024-06-22 | CVE-2024-4313 | Fusionplugin | Cross-site Scripting vulnerability in Fusionplugin Table Addons for Elementor The Table Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. | 5.4 |
2024-06-22 | CVE-2024-5346 | Uxthemes | Cross-site Scripting vulnerability in Uxthemes Flatsome The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Video, UX Slider, UX Sidebar, and UX Payment Icons shortcodes in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
2024-06-21 | CVE-2024-37671 | Tessi | Cross-site Scripting vulnerability in Tessi Docubase 5.0 Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the page parameter. | 5.4 |
2024-06-21 | CVE-2024-37672 | Tessi | Cross-site Scripting vulnerability in Tessi Docubase 5.0 Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the idactivity parameter. | 5.4 |
2024-06-21 | CVE-2024-37673 | Tessi | Cross-site Scripting vulnerability in Tessi Docubase 5.0 Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the filename parameter. | 5.4 |
2024-06-21 | CVE-2024-37675 | Tessi | Cross-site Scripting vulnerability in Tessi Docubase 5.0 Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the parameter "sectionContent" related to the functionality of adding notes to an uploaded file. | 5.4 |
2024-06-21 | CVE-2022-38055 | Gvectors | Cross-site Scripting vulnerability in Gvectors Wpforo Forum Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Content Spoofing.This issue affects wpForo Forum: from n/a through 2.0.9. | 5.4 |
2024-06-21 | CVE-2024-35758 | Themehorse | Cross-site Scripting vulnerability in Themehorse Interface Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Theme Horse Interface allows Stored XSS.This issue affects Interface: from n/a through 3.1.0. | 5.4 |
2024-06-21 | CVE-2024-35761 | Vcita | Cross-site Scripting vulnerability in Vcita Online Booking & Scheduling Calendar for Wordpress BY Vcita Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in vCita Online Booking & Scheduling Calendar for WordPress by vcita allows Stored XSS.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.4.0. | 5.4 |
2024-06-21 | CVE-2024-35762 | Cryoutcreations | Cross-site Scripting vulnerability in Cryoutcreations Serious Slider Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Cryout Creations Serious Slider allows Stored XSS.This issue affects Serious Slider: from n/a through 1.2.4. | 5.4 |
2024-06-21 | CVE-2024-35763 | Themefreesia | Cross-site Scripting vulnerability in Themefreesia Excellent Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Theme Freesia Excellent allows Stored XSS.This issue affects Excellent: from n/a through 1.2.9. | 5.4 |
2024-06-21 | CVE-2024-35764 | Church Admin Project | Cross-site Scripting vulnerability in Church Admin Project Church Admin Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Andy Moyle Church Admin allows Stored XSS.This issue affects Church Admin: from n/a through 4.4.4. | 5.4 |
2024-06-21 | CVE-2024-35774 | Darteweb | Cross-site Scripting vulnerability in Darteweb Dimage 360 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in D’arteweb DImage 360 allows Stored XSS.This issue affects DImage 360: from n/a through 2.0. | 5.4 |
2024-06-21 | CVE-2024-35779 | Livecomposerplugin | Cross-site Scripting vulnerability in Livecomposerplugin Live-Composer-Page-Builder Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through 1.5.42. | 5.4 |
2024-06-21 | CVE-2024-5058 | Wpdeveloper | Cross-site Scripting vulnerability in Wpdeveloper Typing Text Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper Typing Text allows Stored XSS.This issue affects Typing Text: from n/a through 1.2.5. | 5.4 |
2024-06-21 | CVE-2024-5945 | Kubiq | Cross-site Scripting vulnerability in Kubiq WP SVG Images The WP SVG Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 4.2 due to insufficient input sanitization. | 5.4 |
2024-06-21 | CVE-2024-5191 | Wpmudev | Cross-site Scripting vulnerability in Wpmudev Branda The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. | 5.4 |
2024-06-21 | CVE-2024-4377 | Dotonpaper | Cross-site Scripting vulnerability in Dotonpaper DOT on Paper Shortcodes The DOP Shortcodes WordPress plugin through 1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 5.4 |
2024-06-21 | CVE-2024-4477 | Onetarek | Cross-site Scripting vulnerability in Onetarek WP Logs Book The WP Logs Book WordPress plugin through 1.0.1 does not sanitise and escape some of its log data before outputting them back in an admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting | 5.4 |
2024-06-21 | CVE-2024-5448 | Mohsinrasool | Cross-site Scripting vulnerability in Mohsinrasool Paypal PAY Now, BUY Now, Donation and Cart Buttons Shortcode The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | 5.4 |
2024-06-20 | CVE-2024-5686 | Wpzoom | Cross-site Scripting vulnerability in Wpzoom Addons for Elementor The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Team Members widget in all versions up to, and including, 1.1.38 due to insufficient input sanitization and output escaping. | 5.4 |
2024-06-20 | CVE-2024-1168 | Seopress | Cross-site Scripting vulnerability in Seopress The SEOPress – On-site SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's social image URL in all versions up to, and including, 7.9 due to insufficient input sanitization and output escaping on user supplied image URLs. | 5.4 |
2024-06-20 | CVE-2024-3558 | Custom Field Suite Project | Cross-site Scripting vulnerability in Custom Field Suite Project Custom Field Suite The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the 'cfs[post_title]' parameter versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. | 5.4 |
2024-06-20 | CVE-2024-3627 | Kraftplugins | Missing Authorization vulnerability in Kraftplugins Wheel of Life The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. | 5.4 |
2024-06-20 | CVE-2024-4626 | Crocoblock | Cross-site Scripting vulnerability in Crocoblock Jetwidgets for Elementor The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘layout_type’ and 'id' parameters in all versions up to, and including, 1.0.17 due to insufficient input sanitization and output escaping. | 5.4 |
2024-06-19 | CVE-2024-1407 | The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.10. | 5.4 | |
2024-06-19 | CVE-2024-5649 | The Universal Slider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.5 via deserialization of untrusted input 'fsl_get_gallery_value' function. | 5.4 | |
2024-06-18 | CVE-2024-37803 | Health Care Hospital Management System Project | Cross-site Scripting vulnerability in Health Care Hospital Management System Project Health Care Hospital Management System 1.0 Multiple stored cross-site scripting (XSS) vulnerabilities in CodeProjects Health Care hospital Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname and lname parameters under the Staff Info page. | 5.4 |
2024-06-18 | CVE-2024-5533 | Elegantthemes | Cross-site Scripting vulnerability in Elegantthemes Divi 4.23.2 The Divi theme for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.25.1 due to insufficient input sanitization and output escaping. | 5.4 |
2024-06-18 | CVE-2024-4094 | Sharethis | Cross-site Scripting vulnerability in Sharethis Simple Share Buttons Adder The Simple Share Buttons Adder WordPress plugin before 8.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | 5.4 |
2024-06-18 | CVE-2024-0845 | Redlettuce | Cross-site Scripting vulnerability in Redlettuce PDF Viewer for Elementor The PDF Viewer for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the render function in all versions up to, and including, 2.9.3 due to insufficient input sanitization and output escaping. | 5.4 |
2024-06-18 | CVE-2024-4375 | Averta | Cross-site Scripting vulnerability in Averta Master Slider 3.2.7/3.5.1 The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ms_layer' shortcode in all versions up to, and including, 3.9.10 due to insufficient input sanitization and output escaping on the 'css_id' user supplied attribute. | 5.4 |
2024-06-21 | CVE-2022-44593 | Solidwp | Insufficient Verification of Data Authenticity vulnerability in Solidwp Solid Security Use of Less Trusted Source vulnerability in SolidWP Solid Security allows HTTP DoS.This issue affects Solid Security: from n/a through 9.3.1. | 5.3 |
2024-06-21 | CVE-2024-3961 | Convertkit | Missing Authorization vulnerability in Convertkit - Email Marketing, Email Newsletter and Landing Pages The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. | 5.3 |
2024-06-21 | CVE-2024-3610 | Wensolutions | Missing Authorization vulnerability in Wensolutions WP Child Theme Generator The WP Child Theme Generator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wctg_easy_child_theme() function in all versions up to, and including, 1.1.1. | 5.3 |
2024-06-19 | CVE-2024-0789 | The WP Maintenance plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 6.1.9.2 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. | 5.3 | |
2024-06-18 | CVE-2024-5541 | Vowelweb | Unspecified vulnerability in Vowelweb Ibtana The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ibtana_visual_editor_register_ajax_json_endpont' function in all versions up to, and including, 1.2.3.3. | 5.3 |
2024-06-21 | CVE-2024-35757 | 5Starplugins | Cross-site Scripting vulnerability in 5Starplugins Easy AGE Verify Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in 5 Star Plugins Easy Age Verify allows Stored XSS.This issue affects Easy Age Verify: from n/a through 1.8.2. | 4.8 |
2024-06-21 | CVE-2024-35759 | Wpjobportal | Cross-site Scripting vulnerability in Wpjobportal WP JOB Portal Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Job Portal allows Stored XSS.This issue affects WP Job Portal: from n/a through 2.1.3. | 4.8 |
2024-06-21 | CVE-2024-35760 | Wpjobportal | Cross-site Scripting vulnerability in Wpjobportal WP JOB Portal Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Job Portal allows Stored XSS.This issue affects WP Job Portal: from n/a through 2.1.3. | 4.8 |
2024-06-21 | CVE-2024-35768 | Livecomposerplugin | Cross-site Scripting vulnerability in Livecomposerplugin Live-Composer-Page-Builder Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through 1.5.42. | 4.8 |
2024-06-21 | CVE-2024-35769 | Slideshow SE Project | Cross-site Scripting vulnerability in Slideshow SE Project Slideshow SE Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in John West Slideshow SE allows Stored XSS.This issue affects Slideshow SE: from n/a through 2.5.17. | 4.8 |
2024-06-21 | CVE-2024-6225 | TMS Outsource | Cross-site Scripting vulnerability in Tms-Outsource Amelia The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.5 (and 7.5.1 for the Pro version) due to insufficient input sanitization and output escaping. | 4.8 |
2024-06-21 | CVE-2024-4381 | Wielebenwir | Cross-site Scripting vulnerability in Wielebenwir Commonsbooking The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2024-06-21 | CVE-2024-4384 | Dmonnier | Cross-site Scripting vulnerability in Dmonnier Cssable Countdown The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2024-06-21 | CVE-2024-4755 | Erikeng | Cross-site Scripting vulnerability in Erikeng Google CSE 1.0.7 The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2024-06-21 | CVE-2024-4970 | Devnath Verma | Cross-site Scripting vulnerability in Devnath Verma Widget Bundle The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2024-06-21 | CVE-2024-5447 | Mohsinrasool | Cross-site Scripting vulnerability in Mohsinrasool Paypal PAY Now, BUY Now, Donation and Cart Buttons Shortcode The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2024-06-18 | CVE-2024-3276 | Fooplugins | Cross-site Scripting vulnerability in Fooplugins Foobox The Lightbox & Modal Popup WordPress Plugin WordPress plugin before 2.7.28, foobox-image-lightbox-premium WordPress plugin before 2.7.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 4.8 |
2024-06-18 | CVE-2024-5172 | Expert Invoice Project | Cross-site Scripting vulnerability in Expert Invoice Project Expert Invoice The Expert Invoice WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2024-06-22 | CVE-2024-21515 | Opencart | Cross-site Scripting vulnerability in Opencart 4.0.0.0/4.0.2.2 This affects versions of the package opencart/opencart from 4.0.0.0. | 4.7 |
2024-06-22 | CVE-2024-21516 | Opencart | Cross-site Scripting vulnerability in Opencart This affects versions of the package opencart/opencart from 4.0.0.0. | 4.7 |
2024-06-21 | CVE-2024-38662 | Linux | Unspecified vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: bpf: Allow delete from sockmap/sockhash only if update is allowed We have seen an influx of syzkaller reports where a BPF program attached to a tracepoint triggers a locking rule violation by performing a map_delete on a sockmap/sockhash. We don't intend to support this artificial use scenario. | 4.7 |
2024-06-20 | CVE-2024-38082 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | 4.7 | |
2024-06-22 | CVE-2024-4874 | Bricksbuilder | Authorization Bypass Through User-Controlled Key vulnerability in Bricksbuilder Bricks The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. | 4.3 |
2024-06-21 | CVE-2024-5639 | Cozmoslabs | Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to missing validation on a user controlled key. | 4.3 |
2024-06-21 | CVE-2024-4474 | Onetarek | Cross-Site Request Forgery (CSRF) vulnerability in Onetarek WP Logs Book The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 4.3 |
2024-06-21 | CVE-2024-4475 | Onetarek | Cross-Site Request Forgery (CSRF) vulnerability in Onetarek WP Logs Book The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF attack | 4.3 |
2024-06-21 | CVE-2024-4969 | Devnath Verma | Cross-Site Request Forgery (CSRF) vulnerability in Devnath Verma Widget Bundle The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack | 4.3 |
2024-06-21 | CVE-2024-1955 | Wprepublic | Missing Authorization vulnerability in Wprepublic Hide Dashboard Notifications The Hide Dashboard Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'warning_notices_settings' function in all versions up to, and including, 1.3. | 4.3 |
2024-06-20 | CVE-2024-38093 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | 4.3 | |
2024-06-20 | CVE-2024-3602 | Promolayer | Missing Authorization vulnerability in Promolayer Popup Builder The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function in all versions up to, and including, 1.1.0. | 4.3 |
2024-06-19 | CVE-2024-4541 | The Custom Product List Table plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. | 4.3 | |
2024-06-19 | CVE-2024-4873 | The Replace Image plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.10 via the image replacement functionality due to missing validation on a user controlled key. | 4.3 | |
2024-06-18 | CVE-2024-5860 | Tickera | Incorrect Authorization vulnerability in Tickera The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. | 4.3 |
0 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|