Vulnerabilities (CVE)

Filtered by CWE-284
Total 4439 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-13855 1 Nilambar 1 Prime Addons For Elementor 2026-06-17 N/A 4.3 MEDIUM
The Prime Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.1 via the pae_global_block shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract information from posts that are not public, including drafts, private, password protected, and restricted posts. This applies to posts created with Elementor only.
CVE-2024-13854 1 Nicheaddons 1 Education Addon 2026-06-17 N/A 4.3 MEDIUM
The Education Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.1 via the naedu_elementor_template shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract information from posts that are not public, including drafts, password protected, and restricted posts. This applies to posts created with Elementor only.
CVE-2024-13693 1 Kriesi 1 Enfold 2026-06-17 N/A 5.3 MEDIUM
The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive information such as the Mailchimp API Key, reCAPTCHA Secret Key, or Envato private token if they are set.
CVE-2024-13635 2026-06-17 N/A 4.3 MEDIUM
The VK Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.94.2.2 via the page content block. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the content of private posts and pages.
CVE-2024-13514 2026-06-17 N/A 4.3 MEDIUM
The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.5 via the 'bsb-slider' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private posts that they should not have access to.
CVE-2024-13457 1 Liquidweb 1 Event Tickets 2026-06-17 N/A 5.3 MEDIUM
The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view order details of orders they did not place, which includes ticket prices, user emails and order date.
CVE-2024-13430 1 Pagelayer 1 Pagelayer 2026-06-17 N/A 4.3 MEDIUM
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the 'pagelayer_builder_posts_shortcode' function due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private posts that they should not have access to.
CVE-2024-13240 1 Getopensocial 1 Open Social 2026-06-17 N/A 7.5 HIGH
Improper Access Control vulnerability in Drupal Open Social allows Collect Data from Common Resource Locations.This issue affects Open Social: from 0.0.0 before 12.05.
CVE-2024-13229 1 Rankmath 1 Seo 2026-06-17 N/A 4.3 MEDIUM
The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the update_metadata() function in all versions up to, and including, 1.0.235. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete any schema metadata assigned to any post.
CVE-2024-13212 1 Singmr 1 Houserent 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability classified as critical has been found in SingMR HouseRent 1.0. This affects the function singleUpload/upload of the file src/main/java/com/house/wym/controller/AddHouseController.java. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-13211 1 Singmr 1 Houserent 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability was found in SingMR HouseRent 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file src/main/java/com/house/wym/controller/AdminController.java. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-13210 1 Donglight 1 Bookstore 2026-06-17 5.8 MEDIUM 4.7 MEDIUM
A vulnerability was found in donglight bookstore电商书城系统说明 1.0. It has been declared as critical. Affected by this vulnerability is the function uploadPicture of the file src/main/java/org/zdd/bookstore/web/controller/admin/AdminBookController. java. The manipulation of the argument pictureFile leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-13201 1 Wander-chu 1 Springboot-blog 2026-06-17 5.8 MEDIUM 4.7 MEDIUM
A vulnerability has been found in wander-chu SpringBoot-Blog 1.0 and classified as critical. This vulnerability affects the function upload of the file src/main/java/com/my/blog/website/controller/admin/AttachtController.java of the component Admin Attachment Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-13200 1 Wander-chu 1 Springboot-blog 2026-06-17 7.5 HIGH 7.3 HIGH
A vulnerability, which was classified as critical, was found in wander-chu SpringBoot-Blog 1.0. This affects the function preHandle of the file src/main/java/com/my/blog/website/interceptor/BaseInterceptor.java of the component HTTP POST Request Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-13191 1 Zerowdd 1 Myblog 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability, which was classified as critical, has been found in ZeroWdd myblog 1.0. This issue affects the function upload of the file src/main/java/com/wdd/myblog/controller/admin/uploadController.java. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-13145 1 Zhenfeng13 1 My-blog 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability classified as critical was found in zhenfeng13 My-Blog 1.0. Affected by this vulnerability is the function upload of the file src/main/java/com/site/blog/my/core/controller/admin/uploadController. java. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-13144 1 Zhenfeng13 1 My-blog 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability classified as critical has been found in zhenfeng13 My-Blog 1.0. Affected is the function uploadFileByEditomd of the file src/main/java/com/site/blog/my/core/controller/admin/BlogController.java. The manipulation of the argument editormd-image-file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-13138 1 Wangl1989 1 Mysiteforme 2026-06-17 5.8 MEDIUM 4.7 MEDIUM
A vulnerability was found in wangl1989 mysiteforme 1.0. It has been declared as critical. This vulnerability affects the function upload of the file src/main/java/com/mysiteform/admin/service/ipl/LocalUploadServiceImpl. The manipulation of the argument test leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-13134 1 Zerowdd 1 Studentmanager 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability, which was classified as critical, was found in ZeroWdd studentmanager 1.0. Affected is the function addTeacher/editTeacher of the file src/main/Java/com/wdd/studentmanager/controller/TeacherController. java. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-13133 1 Zerowdd 1 Studentmanager 2026-06-17 6.5 MEDIUM 6.3 MEDIUM
A vulnerability, which was classified as critical, has been found in ZeroWdd studentmanager 1.0. This issue affects the function addStudent/editStudent of the file src/main/Java/com/wdd/studentmanager/controller/StudentController. java. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.