Total
3290 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5941 | 1 Givewp | 1 Givewp | 2024-08-26 | 5.4 Medium |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.14.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read attachment paths and delete attachment files. | ||||
| CVE-2024-5940 | 2 Givewp, Webdevmattcrom | 2 Givewp, Givewp Donation Plugin And Fundraising Platform | 2024-08-26 | 6.5 Medium |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to edit event ticket settings if the Events beta feature is enabled. | ||||
| CVE-2023-6700 | 1 Cookieinformation | 1 Wp-gdpr-compliance | 2024-08-26 | 8.8 High |
| The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts. | ||||
| CVE-2024-20032 | 2024-08-23 | 6.7 Medium | ||
| In aee, there is a possible permission bypass due to a missing permission check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08487630; Issue ID: MSV-1020. | ||||
| CVE-2024-38506 | 1 Jetbrains | 1 Youtrack | 2024-08-23 | 6.3 Medium |
| In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows | ||||
| CVE-2024-38504 | 1 Jetbrains | 1 Youtrack | 2024-08-23 | 4.3 Medium |
| In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles | ||||
| CVE-2024-1079 | 1 Ays-pro | 1 Quiz Maker | 2024-08-22 | 5.3 Medium |
| The Quiz Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_show_results() function in all versions up to, and including, 6.5.2.4. This makes it possible for unauthenticated attackers to fetch arbitrary quiz results which can contain PII. | ||||
| CVE-2024-0394 | 2024-08-22 | 7.8 High | ||
| Rapid7 Minerva Armor versions below 4.5.5 suffer from a privilege escalation vulnerability whereby an authenticated attacker can elevate privileges and execute arbitrary code with SYSTEM privilege. The vulnerability is caused by the product's implementation of OpenSSL's`OPENSSLDIR` parameter where it is set to a path accessible to low-privileged users. The vulnerability has been remediated and fixed in version 4.5.5. | ||||
| CVE-2024-45168 | 1 Uci | 1 Idol 2 | 2024-08-22 | 9.1 Critical |
| An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Data is transferred over a raw socket without any authentication mechanism. Thus, communication endpoints are not verifiable. | ||||
| CVE-2024-0038 | 2024-08-22 | 8.4 High | ||
| In injectInputEventToInputFilter of AccessibilityManagerService.java, there is a possible arbitrary input event injection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2024-43331 | 1 Veronalabs | 1 Wp Sms | 2024-08-22 | 5.3 Medium |
| Missing Authorization vulnerability in VeronaLabs WP SMS.This issue affects WP SMS: from n/a through 6.9.3. | ||||
| CVE-2023-52229 | 2024-08-21 | 6.5 Medium | ||
| Missing Authorization vulnerability in Save as PDF plugin by Pdfcrowd Word Replacer Pro.This issue affects Word Replacer Pro: from n/a through 1.0. | ||||
| CVE-2023-4637 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2024-08-21 | 4.3 Medium |
| The WPvivid plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the restore() and get_restore_progress() function in versions up to, and including, 0.9.94. This makes it possible for unauthenticated attackers to invoke these functions and obtain full file paths if they have access to a back-up ID. | ||||
| CVE-2024-43401 | 1 Xwiki | 2 Xwiki, Xwiki-platform | 2024-08-21 | 9.1 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1. | ||||
| CVE-2024-6883 | 2024-08-21 | 4.3 Medium | ||
| The Event Espresso 4 Decaf – Event Registration Event Ticketing plugin for WordPress is vulnerable to limited unauthorized plugin settings modification due to a missing capability check on the saveTimezoneString and some other functions in all versions up to, and including, 5.0.22.decaf. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify some of the plugin settings. | ||||
| CVE-2024-37111 | 1 Wishlistmember | 1 Wishlist Member X | 2024-08-20 | 7.5 High |
| Missing Authorization vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7. | ||||
| CVE-2024-6500 | 1 Inspirelabs | 2 Inpost For Woocommerce, Inpost Pl | 2024-08-20 | 10 Critical |
| The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all versions up to, and including, 1.4.0 (for InPost for WooCommerce) as well as 1.4.4 (for InPost PL). This makes it possible for unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress install will be deleted, but all files can be read. | ||||
| CVE-2024-31987 | 2024-08-20 | 10 Critical | ||
| XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution. This has been patched in XWiki 14.10.19, 15.5.4 and 15.10RC1. No known workarounds are available except for upgrading. | ||||
| CVE-2024-37542 | 1 Wpdevart | 1 Gallery | 2024-08-20 | 5.4 Medium |
| Missing Authorization vulnerability in WpDevArt Responsive Image Gallery, Gallery Album.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. | ||||
| CVE-2024-43326 | 2024-08-20 | 5.4 Medium | ||
| Missing Authorization vulnerability in Jamie Bergen Plugin Notes Plus allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Plugin Notes Plus: from n/a through 1.2.7. | ||||