Total
5374 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-10800 | 1 Vanquish | 2 User Extra Fields, Wordpress User Extra Fields | 2024-11-19 | 8.8 High |
| The WordPress User Extra Fields plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the ajax_save_fields() function in all versions up to, and including, 16.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to add custom fields that can be updated and then use the check_and_overwrite_wp_or_woocommerce_fields function to update the wp_capabilities field to have administrator privileges. | ||||
| CVE-2021-3987 | 2 Calibre-web Project, Janeczku | 2 Calibre-web, Calibre-web | 2024-11-19 | 4.3 Medium |
| An improper access control vulnerability exists in janeczku/calibre-web. The affected version allows users without public shelf permissions to create public shelves. The vulnerability is due to the `create_shelf` method in `shelf.py` not verifying if the user has the necessary permissions to create a public shelf. This issue can lead to unauthorized actions being performed by users. | ||||
| CVE-2024-10861 | 1 Ays-pro | 1 Popup Box | 2024-11-19 | 5.3 Medium |
| The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the 'ays_pb_upgrade_plugin' option with arbitrary data. | ||||
| CVE-2024-52416 | 1 Eugenbobrowski | 1 Debug Tool | 2024-11-19 | 10 Critical |
| Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Upload a Web Shell to a Web Server.This issue affects Debug Tool: from n/a through 2.2. | ||||
| CVE-2024-48073 | 1 Sunniwell | 1 Ht3300 Firmware | 2024-11-18 | 9.8 Critical |
| sunniwell HT3300 before 1.0.0.B022.2 is vulnerable to Insecure Permissions. The /usr/local/bin/update program, which is responsible for updating the software in the HT3300 device, is given the execution mode of sudo NOPASSWD. This program is vulnerable to a command injection vulnerability, which could allow an attacker to pass commands to this program via command line arguments to gain elevated root privileges. | ||||
| CVE-2024-10531 | 1 Kognetiks | 2 Chatbot, Kognetiks Chatbot | 2024-11-18 | 5.3 Medium |
| The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_assistant() function in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update GTP assistants. | ||||
| CVE-2024-10530 | 1 Kognetiks | 1 Kognetiks Chatbot | 2024-11-18 | 4.3 Medium |
| The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the add_new_assistant() function in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to create new GTP assistants. | ||||
| CVE-2024-10529 | 1 Kognetiks | 2 Chatbot, Kognetiks Chatbot | 2024-11-18 | 5.3 Medium |
| The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_assistant() function in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete GTP assistants. | ||||
| CVE-2024-11125 | 1 Get-simple | 1 Getsimplecms | 2024-11-15 | 4.3 Medium |
| A vulnerability was found in GetSimpleCMS 3.3.16 and classified as problematic. This issue affects some unknown processing of the file /admin/profile.php. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-52382 | 1 Medmatechnologies | 1 Matix Popup Builder | 2024-11-15 | 9.8 Critical |
| Missing Authorization vulnerability in Medma Technologies Matix Popup Builder allows Privilege Escalation.This issue affects Matix Popup Builder: from n/a through 1.0.0. | ||||
| CVE-2024-52383 | 1 Kct | 1 Ai Auto Tool Content Writing Assistant | 2024-11-15 | 7.5 High |
| Missing Authorization vulnerability in KCT Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One: from n/a through 2.1.2. | ||||
| CVE-2024-52549 | 1 Redhat | 1 Ocp Tools | 2024-11-15 | 4.3 Medium |
| Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system. | ||||
| CVE-2024-52551 | 2 Jenkins Project, Redhat | 2 Jenkins Pipeline Declaratrive Plugin, Ocp Tools | 2024-11-15 | 8 High |
| Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved. | ||||
| CVE-2024-52554 | 1 Jenkins | 1 Shared Library Version Override | 2024-11-15 | 8.8 High |
| Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection. | ||||
| CVE-2024-10629 | 1 Devfarm | 1 Wp Gpx Maps | 2024-11-13 | 8.8 High |
| The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-10852 | 2024-11-13 | 4.3 Medium | ||
| The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the buy_one_click_export_options AJAX action in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export plugin settings. | ||||
| CVE-2024-43919 | 1 Yarpp | 2 Yarpp, Yet Another Related Posts Plugin | 2024-11-13 | 5.3 Medium |
| Access Control vulnerability in YARPP YARPP allows . This issue affects YARPP: from n/a through 5.30.10. | ||||
| CVE-2024-47768 | 1 Lifplatforms | 1 Lif Authentication Server | 2024-11-13 | 8.1 High |
| Lif Authentication Server is a server used by Lif to do various tasks regarding Lif accounts. This vulnerability has to do with the account recovery system where there does not appear to be a check to make sure the user has been sent the recovery email and entered the correct code. If the attacker knew the email of the target, they could supply the email and immediately prompt the server to update the password without ever needing the code. This issue has been patched in version 1.7.3. | ||||
| CVE-2024-43314 | 1 Gabelivan | 1 Asset Cleanup | 2024-11-13 | 4.3 Medium |
| Missing Authorization vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Asset CleanUp: Page Speed Booster: from n/a through 1.3.9.3. | ||||
| CVE-2024-43332 | 1 Meowapps | 1 Photo Engine | 2024-11-13 | 4.3 Medium |
| Missing Authorization vulnerability in Jordy Meow Photo Engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Engine: from n/a through 6.4.0. | ||||