Total
4907 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-53810 | 2024-12-06 | N/A | 9.1 CRITICAL | ||
| Missing Authorization vulnerability in Najeeb Ahmad Simple User Registration allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Simple User Registration: from n/a through 5.5. | |||||
| CVE-2024-53806 | 2024-12-06 | N/A | 5.4 MEDIUM | ||
| Missing Authorization vulnerability in WpMaspik Maspik – Spam blacklist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Maspik – Spam blacklist: from n/a through 2.2.7. | |||||
| CVE-2024-53799 | 2024-12-06 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in BAKKBONE Australia FloristPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FloristPress: from n/a through 7.3.0. | |||||
| CVE-2024-53795 | 2024-12-06 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Andy Moyle Church Admin allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Church Admin: from n/a through 5.0.8. | |||||
| CVE-2024-12155 | 2024-12-06 | N/A | 9.8 CRITICAL | ||
| The SV100 Companion plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the settings_import() function in all versions up to, and including, 2.0.02. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |||||
| CVE-2024-12110 | 2024-12-06 | N/A | 4.3 MEDIUM | ||
| The Gold Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate() and deactivate() functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate and deactivate licenses. | |||||
| CVE-2024-12028 | 2024-12-06 | N/A | 5.3 MEDIUM | ||
| The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website, accept the friend request for the targeted website, and then communicate with the site as an accepted friend. | |||||
| CVE-2024-12027 | 2024-12-06 | N/A | 4.3 MEDIUM | ||
| The Message Filter for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateFilter() and deleteFilter() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update and delete filters. | |||||
| CVE-2024-11323 | 2024-12-06 | N/A | 8.8 HIGH | ||
| The AI Quiz | Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ai_quiz_update_style() function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |||||
| CVE-2024-41624 | 2024-12-05 | N/A | 6.3 MEDIUM | ||
| Incorrect access control in Himalaya Xiaoya nano smart speaker rom_version 1.6.96 allows a remote attacker to have an unspecified impact. | |||||
| CVE-2024-23230 | 1 Apple | 1 Macos | 2024-12-05 | N/A | 5.5 MEDIUM |
| This issue was addressed with improved file handling. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. An app may be able to access sensitive user data. | |||||
| CVE-2024-11743 | 1 Mayurik | 1 Best House Rental Management System | 2024-12-04 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in SourceCodester Best House Rental Management System 1.0. Affected is an unknown function of the file /rental/ajax.php?action=delete_user of the component POST Request Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-11673 | 1 1000projects | 1 Bookstore Management System | 2024-12-04 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in 1000 Projects Bookstore Management System 1.0. This issue affects some unknown processing. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-53605 | 2024-12-04 | N/A | 7.5 HIGH | ||
| Incorrect access control in the component content://com.handcent.messaging.provider.MessageProvider/ of Handcent NextSMS v10.9.9.7 allows attackers to access sensitive data. | |||||
| CVE-2024-11643 | 2024-12-04 | N/A | 8.8 HIGH | ||
| The Accessibility by AllAccessible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'AllAccessible_save_settings' function in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |||||
| CVE-2024-10567 | 2024-12-04 | N/A | 7.5 HIGH | ||
| The TI WooCommerce Wishlist plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wizard' function in all versions up to, and including, 2.9.1. This makes it possible for unauthenticated attackers to create new pages, modify plugin settings, and perform limited options updates. | |||||
| CVE-2024-9671 | 1 Redhat | 1 3scale Api Management Platform | 2024-12-04 | N/A | 5.3 MEDIUM |
| A vulnerability was found in 3Scale. There is no auth mechanism to see a PDF invoice of a Developer user if the URL is known. Anyone can see the invoice if the URL is known or guessed. | |||||
| CVE-2024-10664 | 2024-12-04 | N/A | 4.3 MEDIUM | ||
| The Knowledge Base documentation & wiki plugin – BasePress Docs plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the basepress_db_posts_update() function in all versions up to, and including, 2.16.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the database. | |||||
| CVE-2024-10663 | 2024-12-04 | N/A | 4.3 MEDIUM | ||
| The Eleblog – Elementor Blog And Magazine Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the goodbye_form_callback() function in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit a deactivation reason. | |||||
| CVE-2024-53938 | 2024-12-03 | N/A | 8.8 HIGH | ||
| An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. The TELNET service is enabled by default and exposed over the LAN. The root account is accessible without a password, allowing attackers to achieve full control over the router remotely without any authentication. | |||||