Total
3284 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1689 | 1 Themefarmer | 1 Woocommerce Tools | 2024-10-29 | 5.3 Medium |
| The WooCommerce Tools plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woocommerce_tool_toggle_module() function in all versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to deactivate arbitrary plugin modules. | ||||
| CVE-2023-35677 | 1 Google | 1 Android | 2024-10-29 | 5.5 Medium |
| In onCreate of DeviceAdminAdd.java, there is a possible way to forcibly add a device admin due to a missing permission check. This could lead to local denial of service (factory reset or continuous locking) with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2024-10008 | 1 Masteriyo | 1 Masteriyo | 2024-10-29 | 8.8 High |
| The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions up to, and including, 1.13.3. This makes it possible for authenticated attackers, with student-level access and above, to modify the roles of arbitrary users. As a result, attackers can escalate their privileges to the Administrator and demote existing administrators to students. | ||||
| CVE-2023-6491 | 1 Wpchill | 1 Strong Testimonials | 2024-10-29 | 4.3 Medium |
| The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the wpmtst_save_view_sticky function in all versions up to, and including, 3.1.12. This makes it possible for authenticated attackers, with contributor access and above, to modify favorite views. | ||||
| CVE-2024-50573 | 1 Jetbrains | 1 Hub | 2024-10-29 | 4.3 Medium |
| In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services | ||||
| CVE-2024-49273 | 1 Metagauss | 1 Profilegrid | 2024-10-29 | 4.3 Medium |
| Missing Authorization vulnerability in ProfileGrid User Profiles ProfileGrid.This issue affects ProfileGrid: from n/a through 5.9.3. | ||||
| CVE-2024-50476 | 1 Grun Software Group | 1 Spendino Spendenformular | 2024-10-29 | 9.8 Critical |
| Missing Authorization vulnerability in GRÜN Software Group GmbH GRÜN spendino Spendenformular allows Privilege Escalation.This issue affects GRÜN spendino Spendenformular: from n/a through 1.0.1. | ||||
| CVE-2024-50475 | 1 Scott Gamon | 1 Signup Page | 2024-10-29 | 9.8 Critical |
| Missing Authorization vulnerability in Scott Gamon Signup Page allows Privilege Escalation.This issue affects Signup Page: from n/a through 1.0. | ||||
| CVE-2024-49321 | 1 Colorlib | 1 Simple Custom Post Order | 2024-10-29 | 4.3 Medium |
| Missing Authorization vulnerability in Colorlib Simple Custom Post Order allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Custom Post Order: from n/a through 2.5.7. | ||||
| CVE-2024-50490 | 1 Szabolcs Szecsenyi | 1 Pegapoll | 2024-10-29 | 9.8 Critical |
| Missing Authorization vulnerability in Szabolcs Szecsenyi PegaPoll allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects PegaPoll: from n/a through 1.0.2. | ||||
| CVE-2024-49293 | 1 Rextheme | 1 Wp Vr | 2024-10-29 | 4.3 Medium |
| Missing Authorization vulnerability in Rextheme WP VR allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP VR: from n/a through 8.5.4. | ||||
| CVE-2024-10437 | 2024-10-29 | 4.3 Medium | ||
| The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to unauthorized Smar Message activation/deactivation due to a missing capability check on the ajax_enable function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate smart messages. | ||||
| CVE-2024-9629 | 2024-10-29 | 5.4 Medium | ||
| The Contact Form 7 + Telegram plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wpcf7_Telegram::ajax' function in versions up to, and including, 0.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve, pause and refuse subscriptions. | ||||
| CVE-2024-50052 | 2024-10-29 | 4.3 Medium | ||
| Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 fail to check that the origin of the message in an integration action matches with the original post metadata which allows an authenticated user to delete an arbitrary post. | ||||
| CVE-2024-10402 | 1 Incsub | 1 Forminator | 2024-10-29 | 7.5 High |
| The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms, including updating the default registration role to Administrator on User Registration forms. | ||||
| CVE-2023-33992 | 1 Sap | 2 Business Warehouse, Bw\/4hana | 2024-10-29 | 4.5 Medium |
| The SAP BW BICS communication layer in SAP Business Warehouse and SAP BW/4HANA - version SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 730, SAP_BW 750, DW4CORE 100, DW4CORE 200, DW4CORE 300, may expose unauthorized cell values to the data response. To be able to exploit this, the user still needs authorizations on the query as well as on the keyfigure/measure level. The missing check only affects the data level. | ||||
| CVE-2024-9626 | 2024-10-28 | 4.3 Medium | ||
| The Editorial Assistant by Sovrn plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_zemanta_set_featured_image' function in versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload attachment files (such as jpg, png, txt, zip), and set the post featured image. | ||||
| CVE-2023-33265 | 1 Hazelcast | 2 Hazelcast, Imdg | 2024-10-28 | 8.8 High |
| In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted. | ||||
| CVE-2024-10092 | 2024-10-28 | 4.3 Medium | ||
| The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones. | ||||
| CVE-2023-26562 | 1 Zimbra | 1 Collaboration | 2024-10-28 | 6.5 Medium |
| In Zimbra Collaboration (ZCS) 8.8.15 and 9.0, a closed account (with 2FA and generated passwords) can send e-mail messages when configured for Imap/smtp. | ||||