Total
4572 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-23640 | 1 Mainwp | 1 Updraftplus Extension | 2024-10-05 | N/A | 8.8 HIGH |
| Missing Authorization vulnerability in MainWP MainWP UpdraftPlus Extension.This issue affects MainWP UpdraftPlus Extension: from n/a through 4.0.6. | |||||
| CVE-2024-31294 | 1 Androidbubble | 1 Wp Sort Order | 2024-10-05 | N/A | 8.8 HIGH |
| Missing Authorization vulnerability in Fahad Mahmood WP Sort Order.This issue affects WP Sort Order: from n/a through 1.3.1. | |||||
| CVE-2024-31246 | 1 Wpxpo | 1 Postx | 2024-10-05 | N/A | 8.8 HIGH |
| Missing Authorization vulnerability in Post Grid Team by WPXPO PostX – Gutenberg Blocks for Post Grid.This issue affects PostX – Gutenberg Blocks for Post Grid: from n/a through 3.2.3. | |||||
| CVE-2024-7950 | 1 Wpjobportal | 1 Wp Job Portal | 2024-10-04 | N/A | 9.8 CRITICAL |
| The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation in all versions up to, and including, 2.1.6 via several functions called by the 'checkFormRequest' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Attackers can also update arbitrary settings and create user accounts even when registration is disabled, leading to user creation with a default role of Administrator. | |||||
| CVE-2024-5053 | 1 Fluentforms | 1 Contact Form | 2024-10-04 | N/A | 4.3 MEDIUM |
| The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an insufficient capability check on the verifyRequest function in all versions up to, and including, 5.1.18. This makes it possible for Form Managers with a Subscriber-level access and above to modify the Mailchimp API key used for integration. At the same time, missing Mailchimp API key validation allows the redirect of the integration requests to the attacker-controlled server. | |||||
| CVE-2024-8430 | 2024-10-04 | N/A | 5.3 MEDIUM | ||
| The Spice Starter Sites plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the spice_starter_sites_importer_creater function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to import demo content. | |||||
| CVE-2024-8675 | 2024-10-04 | N/A | 4.3 MEDIUM | ||
| The Soumettre.fr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the soumettre_disconnect_gateway function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the gateway and delete the API key. | |||||
| CVE-2024-5857 | 1 Funnelforms | 1 Funnelforms Free | 2024-10-04 | N/A | 5.3 MEDIUM |
| The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the af2_handel_file_remove AJAX action in all versions up to, and including, 3.7.3.2. This makes it possible for unauthenticated attackers to delete arbitrary media files. | |||||
| CVE-2024-5987 | 1 Volkov | 1 Wp Accessibility Helper | 2024-10-04 | N/A | 4.3 MEDIUM |
| The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions in all versions up to, and including, 0.6.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit or delete contrast settings. Please note these issues were patched in 0.6.2.8, though it broke functionality and the vendor has not responded to our follow-ups. | |||||
| CVE-2024-9189 | 1 Wpfactory | 1 Eu\/uk Vat Manager For Woocommerce | 2024-10-03 | N/A | 5.3 MEDIUM |
| The EU/UK VAT Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the alg_wc_eu_vat_exempt_vat_from_admin() function in all versions up to, and including, 2.12.12. This makes it possible for unauthenticated attackers to update the VAT status for any order. | |||||
| CVE-2024-5129 | 1 Lunary | 1 Lunary | 2024-10-03 | N/A | 8.2 HIGH |
| A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user requesting the deletion has the appropriate permissions. This allows unauthorized users to send a DELETE request to the server and delete any dataset by specifying its ID. The issue is located in the datasets.delete function within the datasets index file. | |||||
| CVE-2023-36695 | 1 Maximeschoeni | 1 Sublanguage | 2024-10-03 | N/A | 8.8 HIGH |
| Missing Authorization vulnerability in Maxime Schoeni Sublanguage.This issue affects Sublanguage: from n/a through 2.9. | |||||
| CVE-2024-8678 | 1 Revolut | 1 Revolut Gateway For Woocommerce | 2024-10-02 | N/A | 5.3 MEDIUM |
| The Revolut Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wc/v3/revolut REST API endpoint in all versions up to, and including, 4.17.3. This makes it possible for unauthenticated attackers to mark orders as completed. | |||||
| CVE-2024-8658 | 1 Mycred | 1 Mycred | 2024-10-02 | N/A | 5.3 MEDIUM |
| The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mycred_update_database() function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to upgrade an out of date database. | |||||
| CVE-2023-38464 | 2 Google, Unisoc | 9 Android, Sc7731e, Sc9832e and 6 more | 2024-10-02 | N/A | 7.8 HIGH |
| In vowifiservice, there is a possible missing permission check.This could lead to local escalation of privilege with no additional execution privileges | |||||
| CVE-2024-47330 | 1 Supsystic | 2 Slider, Social Share Buttons | 2024-10-02 | N/A | 8.8 HIGH |
| Missing Authorization vulnerability in Supsystic Slider by Supsystic, Supsystic Social Share Buttons by Supsystic.This issue affects Slider by Supsystic: from n/a through 1.8.6; Social Share Buttons by Supsystic: from n/a through 2.2.9. | |||||
| CVE-2024-8350 | 1 Uncannyowl | 1 Uncanny Groups For Learndash | 2024-10-02 | N/A | 2.7 LOW |
| The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to user group add due to a missing capability check on the /wp-json/ulgm_management/v1/add_user/ REST API endpoint in all versions up to, and including, 6.1.0.1. This makes it possible for authenticated attackers, with group leader-level access and above, to add users to their group which ultimately allows them to leverage CVE-2024-8349 and gain admin access to the site. | |||||
| CVE-2024-8552 | 1 Wpchill | 1 Download Monitor | 2024-10-02 | N/A | 4.3 MEDIUM |
| The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality. | |||||
| CVE-2024-8349 | 1 Uncannyowl | 1 Uncanny Groups For Learndash | 2024-10-02 | N/A | 7.2 HIGH |
| The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0.1. This is due to the plugin not properly restricting what users a group leader can edit. This makes it possible for authenticated attackers, with group leader-level access and above, to change admin account email addresses which can subsequently lead to admin account access. | |||||
| CVE-2023-3426 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-10-02 | N/A | 4.3 MEDIUM |
| The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations. | |||||