Total
18200 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-36837 | 1 Themegrill | 1 Themegrill Demo Importer | 2024-10-16 | 9.9 Critical |
| The ThemeGrill Demo Importer plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the reset_wizard_actions function in versions 1.3.4 through 1.6.1. This makes it possible for authenticated attackers to reset the WordPress database. After which, if there is a user named 'admin', the attacker will become automatically logged in as an administrator. | ||||
| CVE-2020-36832 | 1 Wpindeed | 1 Ultimate Membership Pro | 2024-10-16 | 9.8 Critical |
| The Ultimate Membership Pro plugin for WordPress is vulnerable to Authentication Bypass in versions between, and including, 7.3 to 8.6. This makes it possible for unauthenticated attackers to login as any user, including the site administrator with a default user ID of 1, via the username or user ID. | ||||
| CVE-2024-9105 | 1 Tophive | 1 Ultimate Ai | 2024-10-16 | 9.8 Critical |
| The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. This is due to insufficient verification on the user being supplied in the 'ultimate_ai_register_or_login_with_google' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | ||||
| CVE-2024-9201 | 2 Seur, Seur Oficial Project | 2 Seur, Seur Oficial | 2024-10-16 | 9.4 Critical |
| The SEUR plugin, in its versions prior to 2.5.11, is vulnerable to time-based SQL injection through the use of the ‘id_order’ parameter of the ‘/modules/seur/ajax/saveCodFee.php’ endpoint. | ||||
| CVE-2024-48283 | 1 Phpgurukul | 1 User Registration And Login And User Management System | 2024-10-16 | 9.8 Critical |
| Phpgurukul User Registration & Login and User Management System 3.2 is vulnerable to SQL Injection in /admin//search-result.php via the searchkey parameter. | ||||
| CVE-2024-48914 | 1 Vendure | 1 Vendure | 2024-10-16 | 9.1 Critical |
| Vendure is an open-source headless commerce platform. Prior to versions 3.0.5 and 2.3.3, a vulnerability in Vendure's asset server plugin allows an attacker to craft a request which is able to traverse the server file system and retrieve the contents of arbitrary files, including sensitive data such as configuration files, environment variables, and other critical data stored on the server. In the same code path is an additional vector for crashing the server via a malformed URI. Patches are available in versions 3.0.5 and 2.3.3. Some workarounds are also available. One may use object storage rather than the local file system, e.g. MinIO or S3, or define middleware which detects and blocks requests with urls containing `/../`. | ||||
| CVE-2024-49218 | 1 Recently Project | 1 Recently | 2024-10-16 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Al Imran Akash Recently allows Object Injection.This issue affects Recently: from n/a through 1.1. | ||||
| CVE-2024-48034 | 1 Fliperr Team | 1 Creates 3d Flipbook Pdf Flipbook | 2024-10-16 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Fliperrr Team Creates 3D Flipbook, PDF Flipbook allows Upload a Web Shell to a Web Server.This issue affects Creates 3D Flipbook, PDF Flipbook: from n/a through 1.2. | ||||
| CVE-2024-47649 | 1 Thatplugin | 1 Iconize | 2024-10-16 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in THATplugin Iconize.This issue affects Iconize: from n/a through 1.2.4. | ||||
| CVE-2024-48028 | 1 Boyan Raichev | 1 Ip Loc8 | 2024-10-16 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Boyan Raichev IP Loc8 allows Object Injection.This issue affects IP Loc8: from n/a through 1.1. | ||||
| CVE-2024-48042 | 1 Supsystic | 1 Contact Form | 2024-10-16 | 9.1 Critical |
| Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Supsystic Contact Form by Supsystic allows Command Injection.This issue affects Contact Form by Supsystic: from n/a through 1.7.28. | ||||
| CVE-2024-48026 | 1 Grayson Robbins | 1 Disc Golf Manager | 2024-10-16 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Grayson Robbins Disc Golf Manager allows Object Injection.This issue affects Disc Golf Manager: from n/a through 1.0.0. | ||||
| CVE-2024-48027 | 1 Xaraartech | 1 External Featured Image From Bing | 2024-10-16 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in xaraartech External featured image from bing allows Upload a Web Shell to a Web Server.This issue affects External featured image from bing: from n/a through 1.0.2. | ||||
| CVE-2024-48030 | 1 Gabriele Valenti | 1 Telecash Ricaricaweb | 2024-10-16 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Gabriele Valenti Telecash Ricaricaweb allows Object Injection.This issue affects Telecash Ricaricaweb: from n/a through 2.2. | ||||
| CVE-2024-48035 | 1 Takayukiimanishi | 1 Acf Images Search And Insert | 2024-10-16 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Takayuki Imanishi ACF Images Search And Insert allows Upload a Web Shell to a Web Server.This issue affects ACF Images Search And Insert: from n/a through 1.1.4. | ||||
| CVE-2024-49247 | 1 Oc2ps | 1 Better-bp-registration | 2024-10-16 | 9.8 Critical |
| : Authentication Bypass Using an Alternate Path or Channel vulnerability in sooskriszta, webforza BuddyPress Better Registration allows : Authentication Bypass.This issue affects BuddyPress Better Registration: from n/a through 1.6. | ||||
| CVE-2024-49242 | 1 Shafiq | 1 Digital Library | 2024-10-16 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Shafiq Digital Lottery allows Upload a Web Shell to a Web Server.This issue affects Digital Lottery: from n/a through 3.0.5. | ||||
| CVE-2024-9893 | 1 Nextendweb | 1 Nextend Social Login Pro | 2024-10-16 | 9.8 Critical |
| The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.1.14. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. | ||||
| CVE-2024-49271 | 1 Unlimited-elements | 1 Unlimited Elements For Elementor \(free Widgets\, Addons\, Templates\) | 2024-10-16 | 9.1 Critical |
| : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) allows : Command Injection.This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through 1.5.121. | ||||
| CVE-2024-49216 | 1 Joshua Clayton | 1 Feed Comments Number | 2024-10-16 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Joshua Clayton Feed Comments Number allows Upload a Web Shell to a Web Server.This issue affects Feed Comments Number: from n/a through 0.2.1. | ||||