Total
4922 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-0570 | 1 Totolink | 2 N350rt, N350rt Firmware | 2024-11-21 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability classified as critical was found in Totolink N350RT 9.3.5u.6265. This vulnerability affects unknown code of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. It is recommended to upgrade the affected component. VDB-250786 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0569 | 1 Totolink | 2 T8, T8 Firmware | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic has been found in Totolink T8 4.1.5cu.833_20220905. This affects the function getSysStatusCfg of the file /cgi-bin/cstecgi.cgi of the component Setting Handler. The manipulation of the argument ssid/key leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.5cu.862_B20230228 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-250785 was assigned to this vulnerability. | |||||
| CVE-2024-0372 | 1 Formviewswp | 1 Views For Wpforms | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_form_fields' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to create form views. | |||||
| CVE-2024-0371 | 1 Formviewswp | 1 Views For Wpforms | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'create_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to create form views. | |||||
| CVE-2024-0370 | 1 Formviewswp | 1 Views For Wpforms | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts. | |||||
| CVE-2024-0201 | 1 Webcodingplace | 1 Product Expiry For Woocommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_settings' function in versions up to, and including, 2.5. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings. | |||||
| CVE-2023-7068 | 1 Webtoffee | 1 Woocommerce Pdf Invoices\, Packing Slips\, Delivery Notes And Shipping Labels | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on theprint_packinglist action in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to export orders which can contain sensitive information. | |||||
| CVE-2023-6985 | 1 10web | 1 Ai Assistant | 2024-11-21 | N/A | 6.5 MEDIUM |
| The 10Web AI Assistant – AI content writing assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the install_plugin AJAX action in all versions up to, and including, 1.0.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins that can be used to gain further access to a compromised site. | |||||
| CVE-2023-6966 | 1 Themoneytizer | 1 The Moneytizer | 2024-11-21 | N/A | 8.1 HIGH |
| The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.5.20. This makes it possible for authenticated attackers, with subscriber access and above, to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions. | |||||
| CVE-2023-6876 | 1 Nayrathemes | 1 Clever Fox | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Clever Fox – One Click Website Importer by Nayra Themes plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clever-fox-activate-theme' function in all versions up to, and including, 25.2.0. This makes it possible for authenticated attackers, with subscriber access and above, to modify the active theme, including to an invalid value which can take down the site. | |||||
| CVE-2023-6840 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 6.7 MEDIUM |
| An issue has been discovered in GitLab EE affecting all versions from 16.4 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows a maintainer to change the name of a protected branch that bypasses the security policy added to block MR. | |||||
| CVE-2023-6798 | 1 Themeisle | 1 Rss Aggregator By Feedzy | 2024-11-21 | N/A | 5.4 MEDIUM |
| The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized settings update due to a missing capability check when updating settings in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with author-level access or above to change the plugin's settings including proxy settings, which are also exposed to authors. | |||||
| CVE-2023-6751 | 1 Hostinger | 1 Hostinger | 2024-11-21 | N/A | 7.3 HIGH |
| The Hostinger plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the function publish_website in all versions up to, and including, 1.9.7. This makes it possible for unauthenticated attackers to enable and disable maintenance mode. | |||||
| CVE-2023-6733 | 1 Butlerblog | 1 Wp-members | 2024-11-21 | N/A | 6.5 MEDIUM |
| The WP-Members Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.8 via the wpmem_field shortcode. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including user emails, password hashes, usernames, and more. | |||||
| CVE-2023-6700 | 1 Cookieinformation | 1 Wp-gdpr-compliance | 2024-11-21 | N/A | 8.8 HIGH |
| The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts. | |||||
| CVE-2023-6696 | 1 Sygnoos | 1 Popup Builder | 2024-11-21 | N/A | 8.1 HIGH |
| The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including, 4.3.1. While some functions contain a nonce check, the nonce can be obtained from the profile page of a logged-in user. This allows subscribers to perform several actions including deleting subscribers and perform blind Server-Side Request Forgery. | |||||
| CVE-2023-6598 | 1 Softaculous | 1 Speedycache | 2024-11-21 | N/A | 4.3 MEDIUM |
| The SpeedyCache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the speedycache_save_varniship, speedycache_img_update_settings, speedycache_preloading_add_settings, and speedycache_preloading_delete_resource functions in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update plugin options. | |||||
| CVE-2023-6496 | 1 Freeamigos | 1 Manage Notification E-mails | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Manage Notification E-mails plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.8.5 via the card_famne_export_settings function. This makes it possible for unauthenticated attackers to obtain plugin settings. | |||||
| CVE-2023-6491 | 1 Wpchill | 1 Strong Testimonials | 2024-11-21 | N/A | 4.3 MEDIUM |
| The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. This makes it possible for authenticated attackers, with contributor access and above, to modify favorite views. | |||||
| CVE-2023-6394 | 2 Quarkus, Redhat | 2 Quarkus, Build Of Quarkus | 2024-11-21 | N/A | 7.4 HIGH |
| A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions. | |||||