Total
4575 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-7381 | 1 Infinitumform | 1 Geo Controller | 2024-09-06 | N/A | 5.3 MEDIUM |
| The Geo Controller plugin for WordPress is vulnerable to unauthorized shortcode execution due to missing authorization and capability checks on the ajax__shortcode_cache function in all versions up to, and including, 8.6.9. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes available on the target site. | |||||
| CVE-2024-7380 | 1 Infinitumform | 1 Geo Controller | 2024-09-06 | N/A | 4.3 MEDIUM |
| The Geo Controller plugin for WordPress is vulnerable to unauthorized menu creation/deletion due to missing capability checks on the ajax__geolocate_menu and ajax__geolocate_remove_menu functions in all versions up to, and including, 8.6.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete WordPress menus. | |||||
| CVE-2024-8289 | 1 Multivendorx | 1 Multivendorx | 2024-09-05 | N/A | 9.8 CRITICAL |
| The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to privilege escalation/de-escalation and account takeover due to an insufficient capability check on the update_item_permissions_check and create_item_permissions_check functions in all versions up to, and including, 4.2.0. This makes it possible for unauthenticated attackers to change the password of any user with the vendor role, create new users with the vendor role, and demote other users like administrators to the vendor role. | |||||
| CVE-2024-41108 | 1 Fogproject | 1 Fogproject | 2024-09-05 | N/A | 5.9 MEDIUM |
| FOG is a free open-source cloning/imaging/rescue suite/inventory management system. The hostinfo page has missing/improper access control since only the host's mac address is required to obtain the configuration information. This data can only be retrieved if a task is pending on that host. Otherwise, an error message containing "Invalid tasking!" will be returned. The domainpassword in the hostinfo dump is hidden even to authenticated users, as it is displayed as a row of asterisks when navigating to the host's Active Directory settings. This vulnerability is fixed in 1.5.10.41. | |||||
| CVE-2024-8102 | 1 Wpextended | 1 Wp Extended | 2024-09-05 | N/A | 8.8 HIGH |
| The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the module_all_toggle_ajax() function in all versions up to, and including, 3.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | |||||
| CVE-2024-45050 | 2024-09-05 | N/A | 7.1 HIGH | ||
| Ringer server is the server code for the Ringer messaging app. Prior to version 1.3.1, there is an issue with the messages loading route where Ringer Server does not check to ensure that the user loading the conversation is actually a member of that conversation. This allows any user with a Lif Account to load any conversation between two users without permission. This issue had been patched in version 1.3.1. There is no action required for users. Lif Platforms will update their servers with the patch. | |||||
| CVE-2024-5784 | 1 Tutorlms | 1 Tutor Lms Pro | 2024-09-03 | N/A | 6.3 MEDIUM |
| The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc. | |||||
| CVE-2024-7858 | 1 Maxfoundry | 1 Media Library Folders | 2024-09-03 | N/A | 6.3 MEDIUM |
| The Media Library Folders plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several AJAX functions in the media-library-plus.php file in all versions up to, and including, 8.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions related to managing media files and folder along with controlling settings. | |||||
| CVE-2024-7032 | 1 Zaytech | 1 Smart Online Order For Clover | 2024-08-31 | N/A | 6.5 MEDIUM |
| The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'moo_deactivateAndClean' function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to deactivate the plugin and drop all plugin tables from the database. | |||||
| CVE-2024-7030 | 1 Zaytech | 1 Smart Online Order For Clover | 2024-08-31 | N/A | 4.3 MEDIUM |
| The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update product and category descriptions, category titles and images, and sort order. | |||||
| CVE-2024-41918 | 1 Rakuten | 1 Ichiba | 2024-08-30 | N/A | 6.1 MEDIUM |
| 'Rakuten Ichiba App' for Android 12.4.0 and earlier and 'Rakuten Ichiba App' for iOS 11.7.0 and earlier are vulnerable to improper authorization in handler for custom URL scheme. An arbitrary site may be displayed on the WebView of the product via Intent from another application installed on the user's device. As a result, the user may be redirected to an unauthorized site, and the user may become a victim of a phishing attack. | |||||
| CVE-2024-8199 | 1 Smashballoon | 1 Reviews Feed | 2024-08-30 | N/A | 4.3 MEDIUM |
| The Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_api_key' function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update API Key options. | |||||
| CVE-2024-20413 | 2024-08-29 | N/A | 6.7 MEDIUM | ||
| A vulnerability in Cisco NX-OS Software could allow an authenticated, local attacker with privileges to access the Bash shell to elevate privileges to network-admin on an affected device. This vulnerability is due to insufficient security restrictions when executing application arguments from the Bash shell. An attacker with privileges to access the Bash shell could exploit this vulnerability by executing crafted commands on the underlying operating system. A successful exploit could allow the attacker to create new users with the privileges of network-admin. | |||||
| CVE-2023-4024 | 1 Softlabbd | 1 Radio Player | 2024-08-28 | N/A | 5.3 MEDIUM |
| The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to delete player instances. | |||||
| CVE-2023-4025 | 1 Softlabbd | 1 Radio Player | 2024-08-28 | N/A | 5.3 MEDIUM |
| The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update player instances. | |||||
| CVE-2024-6688 | 2024-08-27 | N/A | 4.3 MEDIUM | ||
| The Oxygen Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the oxy_save_css_from_admin AJAX action in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update stylesheets. | |||||
| CVE-2024-5941 | 1 Givewp | 1 Givewp | 2024-08-26 | N/A | 5.4 MEDIUM |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.14.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read attachment paths and delete attachment files. | |||||
| CVE-2024-5940 | 1 Givewp | 1 Givewp | 2024-08-26 | N/A | 5.3 MEDIUM |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to edit event ticket settings if the Events beta feature is enabled. | |||||
| CVE-2024-5939 | 1 Givewp | 1 Givewp | 2024-08-26 | N/A | 5.3 MEDIUM |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to read the setup wizard administrative pages. | |||||
| CVE-2024-45168 | 2024-08-22 | N/A | 9.1 CRITICAL | ||
| An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is transferred over a raw socket without any authentication mechanism. Thus, communication endpoints are not verifiable. | |||||