High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 10CentMail–10CentMail |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in 10CentMail allows Reflected XSS.This issue affects 10CentMail: from n/a through 2.1.50. | 2025-01-02 | 7.1 | CVE-2024-56030 |
| 2100 Technology Electronic–Official Document Management System |
The Electronic Official Document Management System from 2100 Technology has an Authentication Bypass vulnerability. Although the product enforces an IP whitelist for the API used to query user tokens, unauthenticated remote attackers can still deceive the server to obtain tokens of arbitrary users, which can then be used to log into the system. | 2024-12-31 | 9.8 | CVE-2024-13061 |
| AdWorkMedia.com–AdWork Media EZ Content Locker |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in AdWorkMedia.com AdWork Media EZ Content Locker allows Reflected XSS.This issue affects AdWork Media EZ Content Locker: from n/a through 3.0. | 2025-01-02 | 7.1 | CVE-2024-56025 |
| AF themes–WP Post Author |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in AF themes WP Post Author allows SQL Injection.This issue affects WP Post Author: from n/a through 3.8.2. | 2025-01-02 | 7.6 | CVE-2024-56247 |
| AI Magic–AI Magic |
Incorrect Privilege Assignment vulnerability in AI Magic allows Privilege Escalation.This issue affects AI Magic: from n/a through 1.0.4. | 2024-12-31 | 9.8 | CVE-2024-56205 |
| alexacrm–Dynamics 365 Integration |
The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. | 2025-01-04 | 9.9 | CVE-2024-12583 |
| Alexander Volkov–WP Nice Loader |
Cross-Site Request Forgery (CSRF) vulnerability in Alexander Volkov WP Nice Loader allows Stored XSS.This issue affects WP Nice Loader: from n/a through 0.1.0.4. | 2024-12-31 | 7.1 | CVE-2024-56232 |
| Amarjeet Amar–gap-hub-user-role |
Cross-Site Request Forgery (CSRF) vulnerability in Amarjeet Amar allows Authentication Bypass.This issue affects gap-hub-user-role: from n/a through 3.4.1. | 2024-12-31 | 8.8 | CVE-2024-56206 |
| ashlar — cobalt |
Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of AR files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24870. | 2024-12-30 | 7.8 | CVE-2024-13044 |
| ashlar — cobalt |
Ashlar-Vellum Cobalt AR File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of AR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24848. | 2024-12-30 | 7.8 | CVE-2024-13045 |
| ashlar — cobalt |
Ashlar-Vellum Cobalt CO File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CO files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24867. | 2024-12-30 | 7.8 | CVE-2024-13046 |
| ashlar — cobalt |
Ashlar-Vellum Cobalt CO File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CO files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24843. | 2024-12-30 | 7.8 | CVE-2024-13047 |
| ashlar — cobalt |
Ashlar-Vellum Cobalt XE File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XE files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24844. | 2024-12-30 | 7.8 | CVE-2024-13048 |
| ashlar — cobalt |
Ashlar-Vellum Cobalt XE File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XE files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24847. | 2024-12-30 | 7.8 | CVE-2024-13049 |
| ashlar — graphite |
Ashlar-Vellum Graphite VC6 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Graphite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of VC6 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24976. | 2024-12-30 | 7.8 | CVE-2024-13050 |
| ashlar — graphite |
Ashlar-Vellum Graphite VC6 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Graphite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of VC6 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24977. | 2024-12-30 | 7.8 | CVE-2024-13051 |
| ASUS–Router |
An improper input insertion vulnerability in AiCloud on certain router models may lead to arbitrary command execution. Refer to the ’01/02/2025 ASUS Router AiCloud vulnerability’ section on the ASUS Security Advisory for more information. | 2025-01-02 | 7.2 | CVE-2024-12912 |
| ASUS–Router |
An unintended entry point vulnerability has been identified in certain router models, which may allow for arbitrary command execution. Refer to the ‘ 01/02/2025 ASUS Router AiCloud vulnerability’ section on the ASUS Security Advisory for more information. | 2025-01-02 | 7.2 | CVE-2024-13062 |
| Azzaroco–WP SuperBackup |
Unrestricted Upload of File with Dangerous Type vulnerability in Azzaroco WP SuperBackup allows Upload a Web Shell to a Web Server.This issue affects WP SuperBackup: from n/a through 2.3.3. | 2024-12-31 | 10 | CVE-2024-56064 |
| Azzaroco–WP SuperBackup |
Missing Authorization vulnerability in Azzaroco WP SuperBackup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SuperBackup: from n/a through 2.3.3. | 2024-12-31 | 7.5 | CVE-2024-56067 |
| Azzaroco–WP SuperBackup |
Deserialization of Untrusted Data vulnerability in Azzaroco WP SuperBackup.This issue affects WP SuperBackup: from n/a through 2.3.3. | 2024-12-31 | 7.5 | CVE-2024-56068 |
| Azzaroco–WP SuperBackup |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Azzaroco WP SuperBackup allows Reflected XSS.This issue affects WP SuperBackup: from n/a through 2.3.3. | 2025-01-02 | 7.1 | CVE-2024-56069 |
| Azzaroco–WP SuperBackup |
Missing Authorization vulnerability in Azzaroco WP SuperBackup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SuperBackup: from n/a through 2.3.3. | 2024-12-31 | 7.4 | CVE-2024-56070 |
| BizSwoop a CPF Concepts, LLC Brand–Leads CRM |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in BizSwoop a CPF Concepts, LLC Brand Leads CRM allows Reflected XSS.This issue affects Leads CRM: from n/a through 2.0.13. | 2025-01-02 | 7.1 | CVE-2024-56027 |
| Boa web–Boa web |
Boa web server – CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 2024-12-30 | 7.5 | CVE-2024-47924 |
| Boston University (IS&T)–BU Section Editing |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Boston University (IS&T) BU Section Editing allows Reflected XSS.This issue affects BU Section Editing: from n/a through 0.9.9. | 2025-01-02 | 7.1 | CVE-2024-56018 |
| ByConsole–WooODT Lite |
Missing Authorization vulnerability in ByConsole WooODT Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooODT Lite: from n/a through 2.4.6. | 2025-01-02 | 8.8 | CVE-2023-47179 |
| Campcodes–School Faculty Scheduling System |
A vulnerability has been found in Campcodes School Faculty Scheduling System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=login. The manipulation of the argument username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-04 | 7.3 | CVE-2025-0210 |
| Changing Information Technology–CGFIDO |
The passwordless login mechanism in CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability, allowing remote attackers with regular privileges to send a crafted request to switch to the identity of any user, including administrators. | 2024-12-31 | 8.8 | CVE-2024-12838 |
| Changing Information Technology–CGFIDO |
The login mechanism via device authentication of CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability. If a user visits a forged website, the agent program deployed on their device will send an authentication signature to the website. An unauthenticated remote attacker who obtains this signature can use it to log into the system with any device. | 2024-12-31 | 8.8 | CVE-2024-12839 |
| code-projects–Online Shoe Store |
A vulnerability, which was classified as critical, has been found in code-projects Online Shoe Store 1.0. Affected by this issue is some unknown functionality of the file /function/login.php. The manipulation of the argument password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-04 | 7.3 | CVE-2025-0207 |
| CodeAstro–Simple Loan Management System |
A vulnerability was found in CodeAstro Simple Loan Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Login. The manipulation of the argument email leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-12-30 | 7.3 | CVE-2024-13038 |
| Codezips–Project Management System |
A vulnerability was found in Codezips Project Management System 1.0. It has been classified as critical. This affects an unknown part of the file /pages/forms/course.php. The manipulation of the argument course_name leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 7.3 | CVE-2025-0233 |
| CridioStudio–ListingPro |
Cross-Site Request Forgery (CSRF) vulnerability in CridioStudio ListingPro allows Authentication Bypass.This issue affects ListingPro: from n/a through 2.9.4. | 2025-01-02 | 8.8 | CVE-2024-39623 |
| Crocoblock–JetEngine |
Missing Authorization vulnerability in Crocoblock JetEngine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through 3.2.4. | 2025-01-02 | 7.1 | CVE-2023-48758 |
| D-Link–DIR-823G |
A vulnerability was found in D-Link DIR-823G 1.0.2B05_20181207. It has been rated as critical. This issue affects the function SetAutoRebootSettings/SetClientInfo/SetDMZSettings/SetFirewallSettings/SetParentsControlInfo/SetQoSSettings/SetVirtualServerSettings of the file /HNAP1/ of the component Web Management Interface. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-12-30 | 7.3 | CVE-2024-13030 |
| David Cramer–My Shortcodes |
Missing Authorization vulnerability in David Cramer My Shortcodes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Shortcodes: from n/a through 2.3. | 2025-01-02 | 7.1 | CVE-2023-46632 |
| davidanderson–UpdraftPlus: WP Backup & Migration Plugin |
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.24.11 via deserialization of untrusted input in the ‘recursive_unserialized_replace’ function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and replace action to trigger the exploit. | 2025-01-04 | 8.8 | CVE-2024-10957 |
| DeluxeThemes–Userpro |
Missing Authorization vulnerability in DeluxeThemes Userpro.This issue affects Userpro: from n/a through 5.1.9. | 2024-12-31 | 8.8 | CVE-2024-56211 |
| DeluxeThemes–Userpro |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in DeluxeThemes Userpro.This issue affects Userpro: from n/a through 5.1.9. | 2024-12-31 | 8.5 | CVE-2024-56212 |
| DeluxeThemes–Userpro |
Path Traversal: ‘…/…//’ vulnerability in DeluxeThemes Userpro allows Path Traversal.This issue affects Userpro: from n/a through 5.1.9. | 2024-12-31 | 8.3 | CVE-2024-56214 |
| DeluxeThemes–Userpro |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in DeluxeThemes Userpro allows Reflected XSS.This issue affects Userpro: from n/a through 5.1.9. | 2024-12-31 | 7.1 | CVE-2024-56210 |
| Dreamwinner–Easy Language Switcher |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Dreamwinner Easy Language Switcher allows Reflected XSS.This issue affects Easy Language Switcher: from n/a through 1.0. | 2025-01-02 | 7.1 | CVE-2024-56029 |
| DuoGeek–Custom Dashboard Widget |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in DuoGeek Custom Dashboard Widget allows Reflected XSS.This issue affects Custom Dashboard Widget: from n/a through 1.0.0. | 2025-01-02 | 7.1 | CVE-2024-56024 |
| Dynamic Web Lab–Dynamic Product Category Grid, Slider for WooCommerce |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Dynamic Web Lab Dynamic Product Category Grid, Slider for WooCommerce allows PHP Local File Inclusion.This issue affects Dynamic Product Category Grid, Slider for WooCommerce: from n/a through 1.1.3. | 2024-12-31 | 7.5 | CVE-2024-56230 |
| EditionGuard Dev Team–EditionGuard for WooCommerce eBook Sales with DRM |
Cross-Site Request Forgery (CSRF) vulnerability in EditionGuard Dev Team EditionGuard for WooCommerce – eBook Sales with DRM allows Privilege Escalation.This issue affects EditionGuard for WooCommerce – eBook Sales with DRM: from n/a through 3.4.2. | 2024-12-31 | 8.8 | CVE-2024-56207 |
| Fahad Mahmood–Gulri Slider |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Fahad Mahmood Gulri Slider allows Reflected XSS.This issue affects Gulri Slider: from n/a through 3.5.8. | 2024-12-31 | 7.1 | CVE-2024-56223 |
| Fla-shop.com–Interactive UK Map |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Fla-shop.com Interactive UK Map allows Stored XSS.This issue affects Interactive UK Map: from n/a through 3.4.8. | 2025-01-02 | 7.1 | CVE-2024-56267 |
| Foliovision–FV Descriptions |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Foliovision FV Descriptions allows Reflected XSS.This issue affects FV Descriptions: from n/a through 1.4. | 2025-01-02 | 7.1 | CVE-2024-56032 |
| George Holmes II–Wayne Audio Player |
Cross-Site Request Forgery (CSRF) vulnerability in George Holmes II Wayne Audio Player allows Privilege Escalation.This issue affects Wayne Audio Player: from n/a through 1.0. | 2024-12-31 | 8.8 | CVE-2024-56203 |
| Google–Android |
In cc_SendCcImsInfoIndMsg of cc_MmConManagement.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 9.8 | CVE-2024-53842 |
| Google–Android |
In prepare_to_draw_into_mask of SkBlurMaskFilterImpl.cpp, there is a possible heap overflow due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 8.8 | CVE-2024-43767 |
| Google–Android |
there is a possible to add apps to bypass VPN due to Undeclared Permission . This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.8 | CVE-2024-11624 |
| Google–Android |
In DevmemValidateFlags of devicemem_server.c , there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.8 | CVE-2024-43077 |
| Google–Android |
In resizeToAtLeast of SkRegion.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.8 | CVE-2024-43097 |
| Google–Android |
In multiple locations, there is a possible way to avoid unbinding of a service from the system due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.8 | CVE-2024-43762 |
| Google–Android |
In onPrimaryClipChanged of ClipboardListener.java, there is a possible way to partially bypass lock screen. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.8 | CVE-2024-43764 |
| Google–Android |
In skia_alloc_func of SkDeflate.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.8 | CVE-2024-43768 |
| Google–Android |
In isPackageDeviceAdmin of PackageManagerService.java, there is a possible edge case which could prevent the uninstallation of CloudDpc due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.8 | CVE-2024-43769 |
| Google–Android |
In construct_transaction_from_cmd of lwis_ioctl.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.8 | CVE-2024-47032 |
| Google–Android |
In sms_DisplayHexDumpOfPrivacyBuffer of sms_Utilities.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.5 | CVE-2024-53834 |
| Google–Android |
there is a possible biometric bypass due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.8 | CVE-2024-53835 |
| Google–Android |
In prepare_response of lwis_periodic_io.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.8 | CVE-2024-53837 |
| Google–Android |
In Exynos_parsing_user_data_registered_itu_t_t35 of VendorVideoAPI.cpp, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.8 | CVE-2024-53838 |
| Google–Android |
there is a possible biometric bypass due to an unusual root cause. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.8 | CVE-2024-53840 |
| Google–Android |
In startListeningForDeviceStateChanges, there is a possible Permission Bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 7.8 | CVE-2024-53841 |
| Greg Priday–Simple Proxy |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Greg Priday Simple Proxy allows Reflected XSS.This issue affects Simple Proxy: from n/a through 1.0. | 2025-01-02 | 7.1 | CVE-2024-56026 |
| GregRoss–Just Writing Statistics |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in GregRoss Just Writing Statistics allows SQL Injection.This issue affects Just Writing Statistics: from n/a through 4.7. | 2025-01-02 | 7.6 | CVE-2024-56250 |
| hcabrera–WordPress Popular Posts |
The The WordPress Popular Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2025-01-03 | 7.3 | CVE-2024-11733 |
| HTML Forms–HTML Forms |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in HTML Forms allows Reflected XSS.This issue affects HTML Forms: from n/a through 1.4.1. | 2025-01-02 | 7.1 | CVE-2024-56060 |
| IBM–Engineering Lifecycle Optimization Publishing |
IBM Engineering Lifecycle Optimization – Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause a denial of service using a complex regular expression. | 2025-01-04 | 7.5 | CVE-2024-41766 |
| IBM–Engineering Lifecycle Optimization Publishing |
IBM Engineering Lifecycle Optimization – Publishing 7.0.2 and 7.0.3 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | 2025-01-04 | 7.3 | CVE-2024-41767 |
| IBM–WebSphere Automation |
IBM WebSphere Automation 1.7.5 could allow a remote privileged user, who has authorized access to the swagger UI, to execute arbitrary code. Using specially crafted input, the user could exploit this vulnerability to execute arbitrary code on the system. | 2024-12-30 | 7.2 | CVE-2024-54181 |
| inisev–Backup Migration |
The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the ‘recursive_unserialize_replace’ function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit. | 2025-01-04 | 8.8 | CVE-2024-10932 |
| Inspry–Agency Toolkit |
Missing Authorization vulnerability in Inspry Agency Toolkit allows Privilege Escalation.This issue affects Agency Toolkit: from n/a through 1.0.23. | 2024-12-31 | 9.8 | CVE-2024-56066 |
| Irshad–Services updates for customers |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Irshad Services updates for customers allows Reflected XSS.This issue affects Services updates for customers: from n/a through 1.0. | 2025-01-02 | 7.1 | CVE-2024-56034 |
| iTerm2–iTerm2 |
iTerm2 3.5.6 through 3.5.10 before 3.5.11 sometimes allows remote attackers to obtain sensitive information from terminal commands by reading the /tmp/framer.txt file. This can occur for certain it2ssh and SSH Integration configurations, during remote logins to hosts that have a common Python installation. | 2025-01-03 | 9.3 | CVE-2025-22275 |
| Kinhelios–Kintpv Wooconnect |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Kinhelios Kintpv Wooconnect allows Stored XSS.This issue affects Kintpv Wooconnect: from n/a through 8.129. | 2024-12-31 | 7.1 | CVE-2024-56233 |
| Kurt Payne–Upload Scanner |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Kurt Payne Upload Scanner allows Reflected XSS.This issue affects Upload Scanner: from n/a through 1.2. | 2025-01-02 | 7.1 | CVE-2024-56035 |
| Lemonade Coding Studio–Lemonade Social Networks Autoposter Pinterest |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Lemonade Coding Studio Lemonade Social Networks Autoposter Pinterest allows Reflected XSS.This issue affects Lemonade Social Networks Autoposter Pinterest: from n/a through 2.0. | 2025-01-02 | 7.1 | CVE-2024-56028 |
| Markyis Cool–Olivia |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Markyis Cool Olivia allows Reflected XSS.This issue affects Olivia: from n/a through 0.9.5. | 2025-01-02 | 7.1 | CVE-2024-56014 |
| Md Maruf Adnan Sami–User Referral |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Md Maruf Adnan Sami User Referral allows Reflected XSS.This issue affects User Referral: from n/a through 8.0. | 2025-01-02 | 7.1 | CVE-2024-56037 |
| mendableai–firecrawl |
Firecrawl is a web scraper that allows users to extract the content of a webpage for a large language model. Versions prior to 1.1.1 contain a server-side request forgery (SSRF) vulnerability. The scraping engine could be exploited by crafting a malicious site that redirects to a local IP address. This allowed exfiltration of local network resources through the API. The cloud service was patched on December 27th, 2024, and the maintainers have checked that no user data was exposed by this vulnerability. Scraping engines used in the open sourced version of Firecrawl were patched on December 29th, 2024, except for the playwright services which the maintainers have determined to be un-patchable. All users of open-source software (OSS) Firecrawl should upgrade to v1.1.1. As a workaround, OSS Firecrawl users should supply the playwright services with a secure proxy. A proxy can be specified through the `PROXY_SERVER` env in the environment variables. Please refer to the documentation for instructions. Ensure that the proxy server one is using is setup to block all traffic going to link-local IP addresses. | 2024-12-30 | 7.4 | CVE-2024-56800 |
| Mike Leembruggen–Simple Dashboard |
Incorrect Privilege Assignment vulnerability in Mike Leembruggen Simple Dashboard allows Privilege Escalation.This issue affects Simple Dashboard: from n/a through 2.0. | 2024-12-31 | 9.8 | CVE-2024-56071 |
| Mobotix–CCTV FW |
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 2024-12-30 | 7.5 | CVE-2024-47917 |
| Moxa–EDR-8010 Series |
Moxa’s cellular routers, secure routers, and network security appliances are affected by a critical vulnerability, CVE-2024-9140. This vulnerability allows OS command injection due to improperly restricted commands, potentially enabling attackers to execute arbitrary code. This poses a significant risk to the system’s security and functionality. | 2025-01-03 | 9.8 | CVE-2024-9140 |
| Moxa–EDR-810 Series |
Moxa’s cellular routers, secure routers, and network security appliances are affected by a high-severity vulnerability, CVE-2024-9138. This vulnerability involves hard-coded credentials, enabling an authenticated user to escalate privileges and gain root-level access to the system, posing a significant security risk. | 2025-01-03 | 7.2 | CVE-2024-9138 |
| n/a–n/a |
Huang Yaoshi Pharmaceutical Management Software through 16.0 allows arbitrary file upload via a .asp filename in the fileName element of the UploadFile element in a SOAP request to /XSDService.asmx. | 2025-01-02 | 10 | CVE-2024-56829 |
| n/a–n/a |
An arbitrary file upload vulnerability in the component /adminUser/updateImg of WukongCRM-11.0-JAVA v11.3.3 allows attackers to execute arbitrary code via uploading a crafted file. | 2025-01-03 | 9.8 | CVE-2024-55078 |
| n/a–n/a |
An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the delete_e.php component. | 2025-01-03 | 9.8 | CVE-2024-55507 |
| n/a–n/a |
In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, the default nonce is a 32-bit integer generated from the built-in rand() function, which is not cryptographically strong. | 2025-01-03 | 9.8 | CVE-2025-22376 |
| n/a–n/a |
FFmpeg version n6.1.1 has a double-free vulnerability in the fftools/ffmpeg_mux_init.c component of FFmpeg, specifically within the new_stream_audio function. | 2025-01-03 | 8.8 | CVE-2024-35365 |
| n/a–n/a |
SQL Injection vulnerability in Silverpeas 6.4.1 allows a remote attacker to obtain sensitive information via the ViewType parameter of the findbywhereclause function | 2025-01-03 | 7.5 | CVE-2024-48814 |
| n/a–Roxy-WI |
A vulnerability was found in Roxy-WI up to 8.1.3. It has been declared as critical. Affected by this vulnerability is the function action_service of the file app/modules/roxywi/roxy.py. The manipulation of the argument action/service leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 8.1.4 is able to address this issue. The identifier of the patch is 32313928eb9ce906887b8a30bf7b9a3d5c0de1be. It is recommended to upgrade the affected component. | 2025-01-03 | 8.8 | CVE-2024-13129 |
| Ondrej Donek–odPhotogallery |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Ondrej Donek odPhotogallery allows Reflected XSS.This issue affects odPhotogallery: from n/a through 0.5.3. | 2025-01-02 | 7.1 | CVE-2024-56036 |
| Perfect Solution–WP eCommerce Quickpay |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Perfect Solution WP eCommerce Quickpay allows Reflected XSS.This issue affects WP eCommerce Quickpay: from n/a through 1.1.0. | 2025-01-02 | 7.1 | CVE-2024-56023 |
| PHPGurukul–Land Record System |
A vulnerability, which was classified as critical, has been found in PHPGurukul Land Record System 1.0. Affected by this issue is some unknown functionality of the file /admin/login.php. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 7.3 | CVE-2024-13085 |
| Priority–PRI WEB |
Priority – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | 2024-12-30 | 7.5 | CVE-2024-47922 |
| Progress Software Corporation–WhatsUp Gold |
In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings. | 2024-12-31 | 9.4 | CVE-2024-12106 |
| Progress Software Corporation–WhatsUp Gold |
In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API. | 2024-12-31 | 9.6 | CVE-2024-12108 |
| Quanta Computer–QOCA aim |
The QOCA aim from Quanta Computer has an Authorization Bypass Through User-Controlled Key vulnerability. By controlling the user ID parameter, remote attackers with regular privileges could access certain features as any user, modify any user’s account information and privileges, leading to privilege escalation. | 2024-12-31 | 8.8 | CVE-2024-13040 |
| Red Hat–Red Hat Fuse 7 |
A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod. | 2024-12-31 | 8.8 | CVE-2024-25133 |
| Red Hat–Red Hat Fuse 7 |
A flaw was found in FFmpeg’s HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization. | 2024-12-31 | 7.5 | CVE-2023-6603 |
| Red Hat–Red Hat Fuse 7 |
A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node’s /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties. | 2024-12-31 | 7.6 | CVE-2024-45497 |
| sendSMS–SendSMS |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in SendSMS allows Reflected XSS.This issue affects SendSMS: from n/a through 1.2.9. | 2025-01-02 | 7.1 | CVE-2024-56038 |
| SeventhQueen–Kleo |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in SeventhQueen Kleo allows Reflected XSS.This issue affects Kleo: from n/a before 5.4.4. | 2024-12-31 | 7.1 | CVE-2024-56209 |
| Smadar–SPS |
Smadar SPS – CWE-327: Use of a Broken or Risky Cryptographic Algorithm | 2024-12-30 | 8.4 | CVE-2024-47921 |
| spider-themes–EazyDocs |
Missing Authorization vulnerability in spider-themes EazyDocs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EazyDocs: from n/a through 2.3.5. | 2025-01-02 | 7.5 | CVE-2023-47648 |
| SSL Wireless–SSL Wireless SMS Notification |
Incorrect Privilege Assignment vulnerability in SSL Wireless SSL Wireless SMS Notification allows Privilege Escalation.This issue affects SSL Wireless SMS Notification: from n/a through 3.5.0. | 2024-12-31 | 9.8 | CVE-2024-56220 |
| Tecnick–TCExam |
Tecnick TCExam – CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 2024-12-30 | 9.8 | CVE-2024-47926 |
| Tecnick–TCExam |
Tecnick TCExam – Multiple CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 2024-12-30 | 7.5 | CVE-2024-47925 |
| Themefic–Ultimate Addons for Contact Form 7 |
Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through 3.2.6. | 2025-01-02 | 7.5 | CVE-2023-47693 |
| Think201–FAQs |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Think201 FAQs allows Reflected XSS.This issue affects FAQs: from n/a through 1.0.2. | 2025-01-02 | 7.1 | CVE-2024-56033 |
| Tiki Wiki–CMS |
Tiki Wiki CMS – CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 2024-12-30 | 9.8 | CVE-2024-47919 |
| Tiki Wiki–CMS |
Tiki Wiki CMS – CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 2024-12-30 | 7.5 | CVE-2024-47920 |
| Trend Micro, Inc.–Trend Micro Apex One |
A widget local file inclusion vulnerability in Trend Micro Apex One could allow a remote attacker to execute arbitrary code on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2024-12-31 | 7.5 | CVE-2024-52047 |
| Trend Micro, Inc.–Trend Micro Apex One |
A LogServer link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. This vulnerability is similar to, but not identical to CVE-2024-52049. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2024-12-31 | 7.8 | CVE-2024-52048 |
| Trend Micro, Inc.–Trend Micro Apex One |
A LogServer link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. This vulnerability is similar to, but not identical to CVE-2024-52048. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2024-12-31 | 7.8 | CVE-2024-52049 |
| Trend Micro, Inc.–Trend Micro Apex One |
A LogServer arbitrary file creation vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2024-12-31 | 7.8 | CVE-2024-52050 |
| Trend Micro, Inc.–Trend Micro Apex One |
An engine link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2024-12-31 | 7.8 | CVE-2024-55631 |
| Trend Micro, Inc.–Trend Micro Apex One |
A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2024-12-31 | 7.8 | CVE-2024-55632 |
| Trend Micro, Inc.–Trend Micro Apex One |
An origin validation error vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2024-12-31 | 7.8 | CVE-2024-55917 |
| TrueWinter–simofa |
Simofa is a tool to help automate static website building and deployment. Prior to version 0.2.7, due to a design mistake in the RouteLoader class, some API routes may be publicly accessible when they should require authentication. This vulnerability has been patched in v0.2.7. | 2024-12-30 | 10 | CVE-2024-56799 |
| Unknown–Hunk Companion |
The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed. | 2024-12-31 | 9.8 | CVE-2024-11972 |
| VibeThemes–VibeBP |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in VibeThemes VibeBP allows SQL Injection.This issue affects VibeBP: from n/a before 1.9.9.7.7. | 2024-12-31 | 9.3 | CVE-2024-56039 |
| VibeThemes–VibeBP |
Incorrect Privilege Assignment vulnerability in VibeThemes VibeBP allows Privilege Escalation.This issue affects VibeBP: from n/a through 1.9.9.4.1. | 2024-12-31 | 9.8 | CVE-2024-56040 |
| VibeThemes–VibeBP |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in VibeThemes VibeBP allows SQL Injection.This issue affects VibeBP: from n/a before 1.9.9.5.1. | 2024-12-31 | 8.5 | CVE-2024-56041 |
| VibeThemes–WPLMS |
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a through 1.9.9. | 2024-12-31 | 10 | CVE-2024-56046 |
| VibeThemes–WPLMS |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in VibeThemes WPLMS allows SQL Injection.This issue affects WPLMS: from n/a before 1.9.9.5.3. | 2024-12-31 | 9.3 | CVE-2024-56042 |
| VibeThemes–WPLMS |
Incorrect Privilege Assignment vulnerability in VibeThemes WPLMS allows Privilege Escalation.This issue affects WPLMS: from n/a through 1.9.9. | 2024-12-31 | 9.8 | CVE-2024-56043 |
| VibeThemes–WPLMS |
Authentication Bypass Using an Alternate Path or Channel vulnerability in VibeThemes WPLMS allows Authentication Bypass.This issue affects WPLMS: from n/a through 1.9.9. | 2024-12-31 | 9.8 | CVE-2024-56044 |
| VibeThemes–WPLMS |
Path Traversal: ‘…/…//’ vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5. | 2024-12-31 | 9.3 | CVE-2024-56045 |
| watchguard — panda_dome |
Panda Security Dome Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Hotspot Shield. By creating a junction, an attacker can abuse the application to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23478. | 2024-12-30 | 7.8 | CVE-2024-13043 |
| Webdeclic–WPMasterToolKit |
Unrestricted Upload of File with Dangerous Type vulnerability in Webdeclic WPMasterToolKit allows Upload a Web Shell to a Web Server.This issue affects WPMasterToolKit: from n/a through 1.13.1. | 2025-01-02 | 9.1 | CVE-2024-56249 |
| Webful Creations–Computer Repair Shop |
Missing Authorization vulnerability in Webful Creations Computer Repair Shop allows Privilege Escalation.This issue affects Computer Repair Shop: from n/a through 3.8119. | 2024-12-31 | 8.8 | CVE-2024-56061 |
| WordPress Monsters–Preloader by WordPress Monsters |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WordPress Monsters Preloader by WordPress Monsters allows Reflected XSS.This issue affects Preloader by WordPress Monsters: from n/a through 1.2.3. | 2025-01-02 | 7.1 | CVE-2024-56022 |
| WP Royal–Royal Elementor Addons |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WP Royal Royal Elementor Addons allows Reflected XSS.This issue affects Royal Elementor Addons: from n/a through 1.7.1001. | 2024-12-31 | 7.1 | CVE-2024-56226 |
| WP Travel–WP Travel |
Missing Authorization vulnerability in WP Travel WP Travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through 7.8.0. | 2025-01-02 | 7.5 | CVE-2023-47224 |
| WPDeveloper–BetterLinks |
Missing Authorization vulnerability in WPDeveloper BetterLinks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BetterLinks: from n/a through 1.6.0. | 2025-01-02 | 7.3 | CVE-2023-45104 |
| WPFactory–Wishlist for WooCommerce: Multi Wishlists Per Customer |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPFactory Wishlist for WooCommerce: Multi Wishlists Per Customer allows Reflected XSS.This issue affects Wishlist for WooCommerce: Multi Wishlists Per Customer: from n/a through 3.1.2. | 2024-12-31 | 7.1 | CVE-2024-56228 |
| WPWeb–WooCommerce PDF Vouchers |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPWeb WooCommerce PDF Vouchers allows Reflected XSS.This issue affects WooCommerce PDF Vouchers: from n/a before 4.9.9. | 2024-12-31 | 7.1 | CVE-2024-56265 |
| Yonatan Reinberg of Social Ink–Sinking Dropdowns |
Cross-Site Request Forgery (CSRF) vulnerability in Yonatan Reinberg of Social Ink Sinking Dropdowns allows Privilege Escalation.This issue affects Sinking Dropdowns: from n/a through 1.25. | 2024-12-31 | 8.8 | CVE-2024-56204 |
| ZTE–ZENIC ONE R58 |
The ZENIC ONE R58 products by ZTE Corporation have a command injection vulnerability. An authenticated attacker can exploit this vulnerability to tamper with messages, inject malicious code, and subsequently launch attacks on related devices. | 2024-12-30 | 7.6 | CVE-2024-22063 |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 1000 Projects–Attendance Tracking Management System |
A vulnerability was found in 1000 Projects Attendance Tracking Management System 1.0. It has been classified as critical. Affected is the function attendance_report of the file /admin/report.php. The manipulation of the argument course_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-12-30 | 6.3 | CVE-2024-13037 |
| 1000 Projects–Beauty Parlour Management System |
A vulnerability was found in 1000 Projects Beauty Parlour Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/add-customer-services.php of the component Customer Detail Handler. The manipulation of the argument sids[] leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 6.3 | CVE-2024-13072 |
| 10Web–10Web Map Builder for Google Maps |
Missing Authorization vulnerability in 10Web 10Web Map Builder for Google Maps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10Web Map Builder for Google Maps: from n/a through 1.0.73. | 2025-01-02 | 5.4 | CVE-2023-45272 |
| 10Web–10WebAnalytics |
Missing Authorization vulnerability in 10Web 10WebAnalytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10WebAnalytics: from n/a through 1.2.12. | 2025-01-02 | 4.3 | CVE-2023-47807 |
| 1Panel-dev–MaxKB |
MaxKB, which stands for Max Knowledge Base, is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Prior to version 1.9.0, a remote command execution vulnerability exists in the module of function library. The vulnerability allow privileged users to execute OS command in custom scripts. The vulnerability has been fixed in v1.9.0. | 2025-01-02 | 6.8 | CVE-2024-56137 |
| akashmalik–Scratch & Win Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more |
The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.1. This is due to missing nonce validation on the reset_installation() function. This makes it possible for unauthenticated attackers to reset the plugin’s installation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-01-04 | 5.4 | CVE-2024-12545 |
| Analytify–Analytify |
Missing Authorization vulnerability in Analytify.This issue affects Analytify: from n/a through 4.2.3. | 2025-01-02 | 6.5 | CVE-2022-45830 |
| Andy Fragen–Embed PDF Viewer |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Andy Fragen Embed PDF Viewer allows Stored XSS.This issue affects Embed PDF Viewer: from n/a through 2.3.1. | 2024-12-31 | 5.9 | CVE-2024-56256 |
| Antabot–White-Jotter |
A vulnerability, which was classified as problematic, was found in Antabot White-Jotter up to 0.2.2. Affected is an unknown function of the file /admin/content/book of the component Edit Book Handler. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-12-30 | 4.3 | CVE-2024-13029 |
| Apollo13Themes–Rife Free |
Cross-Site Request Forgery (CSRF) vulnerability in Apollo13Themes Rife Free allows Cross Site Request Forgery.This issue affects Rife Free: from n/a through 2.4.18. | 2025-01-02 | 4.3 | CVE-2024-37491 |
| AtomChat–AtomChat |
Missing Authorization vulnerability in AtomChat AtomChat allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AtomChat: from n/a through 1.1.4. | 2025-01-02 | 5.3 | CVE-2023-46606 |
| AuRise Creative, SevenSpark–Contact Form 7 Dynamic Text Extension |
Cross-Site Request Forgery (CSRF) vulnerability in AuRise Creative, SevenSpark Contact Form 7 Dynamic Text Extension allows Cross Site Request Forgery.This issue affects Contact Form 7 Dynamic Text Extension: from n/a through 5.0.1. | 2024-12-31 | 4.3 | CVE-2024-56218 |
| Automattic–Newspack Newsletters |
Cross-Site Request Forgery (CSRF) vulnerability in Automattic Newspack Newsletters allows Cross Site Request Forgery.This issue affects Newspack Newsletters: from n/a through 2.13.2. | 2025-01-02 | 4.3 | CVE-2024-37242 |
| Automattic–WP Job Manager – Resume Manager |
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager – Resume Manager allows Cross Site Request Forgery.This issue affects WP Job Manager – Resume Manager: from n/a through 2.1.0. | 2025-01-02 | 4.3 | CVE-2024-37241 |
| AWSM Innovations–WP Job Openings |
Missing Authorization vulnerability in AWSM Innovations WP Job Openings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Openings: from n/a through 3.4.1. | 2025-01-02 | 5.3 | CVE-2023-45061 |
| AyeCode – WP Business Directory Plugins–GeoDirectory |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in AyeCode – WP Business Directory Plugins GeoDirectory allows Stored XSS.This issue affects GeoDirectory: from n/a through 2.3.84. | 2025-01-02 | 6.5 | CVE-2024-56259 |
| AyeCode–AyeCode Connect |
Missing Authorization vulnerability in AyeCode AyeCode Connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AyeCode Connect: from n/a through 1.3.8. | 2025-01-02 | 4.3 | CVE-2024-56255 |
| basecamp–trix |
Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.12 are vulnerable to cross-site scripting when pasting malicious code in the link field. An attacker could trick the user to copy&paste a malicious `javascript:` URL as a link that would execute arbitrary JavaScript code within the context of the user’s session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. Users should upgrade to Trix editor version 2.1.12 or later to receive a patch. In addition to upgrading, affected users can disallow browsers that don’t support a Content Security Policy (CSP) as a workaround for this and other cross-site scripting vulnerabilities. Set CSP policies such as script-src ‘self’ to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem. | 2025-01-03 | 5.3 | CVE-2025-21610 |
| Beee–ACF City Selector |
Unrestricted Upload of File with Dangerous Type vulnerability in Beee ACF City Selector allows Upload a Web Shell to a Web Server.This issue affects ACF City Selector: from n/a through 1.14.0. | 2025-01-02 | 6.6 | CVE-2024-56264 |
| Beijing Yunfan Internet Technology–Yunfan Learning Examination System |
A vulnerability was found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. It has been rated as critical. This issue affects some unknown processing of the file /doc.html. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 5.3 | CVE-2024-13109 |
| Beijing Yunfan Internet Technology–Yunfan Learning Examination System |
A vulnerability classified as critical was found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected by this vulnerability is an unknown functionality of the file src/main/java/com/yf/exam/modules/sys/user/controller/SysUserControl of the component JWT Token Handler. The manipulation leads to improper authentication. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 5.6 | CVE-2024-13111 |
| Beijing Yunfan Internet Technology–Yunfan Learning Examination System |
A vulnerability classified as problematic has been found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected is an unknown function of the file src/main/java/com/yf/exam/modules/paper/controller/PaperController.java, of the component Exam Answer Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 4.3 | CVE-2024-13110 |
| BlazeThemes–Trendy News |
Cross-Site Request Forgery (CSRF) vulnerability in BlazeThemes Trendy News allows Cross Site Request Forgery.This issue affects Trendy News: from n/a through 1.0.15. | 2025-01-02 | 4.3 | CVE-2024-37473 |
| Blossom Themes–Blossom Shop |
Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Blossom Shop allows Cross Site Request Forgery.This issue affects Blossom Shop: from n/a through 1.1.7. | 2025-01-02 | 4.3 | CVE-2024-37412 |
| Blossom Themes–Vandana Lite |
Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Vandana Lite allows Cross Site Request Forgery.This issue affects Vandana Lite: from n/a through 1.1.9. | 2025-01-02 | 4.3 | CVE-2024-37243 |
| Blossom Themes–Vilva |
Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Vilva allows Cross Site Request Forgery.This issue affects Vilva: from n/a through 1.2.2. | 2025-01-02 | 4.3 | CVE-2024-37102 |
| BoldThemes–Bold Timeline Lite |
Missing Authorization vulnerability in BoldThemes Bold Timeline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bold Timeline Lite: from n/a through 1.1.9. | 2025-01-02 | 4.3 | CVE-2023-45110 |
| BUDDYBOSS LLC–BuddyBoss Theme |
Cross-Site Request Forgery (CSRF) vulnerability in BUDDYBOSS LLC BuddyBoss Theme allows Cross Site Request Forgery.This issue affects BuddyBoss Theme: from n/a through 2.4.61. | 2025-01-02 | 5.4 | CVE-2024-37925 |
| Campcodes–Project Management System |
A vulnerability was found in Campcodes Project Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /forms/update_forms.php?action=change_pic2&id=4. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-04 | 6.3 | CVE-2025-0213 |
| Campcodes–School Faculty Scheduling System |
A vulnerability was found in Campcodes School Faculty Scheduling System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/index.php. The manipulation of the argument page leads to file inclusion. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-04 | 6.3 | CVE-2025-0211 |
| Campcodes–Student Grading System |
A vulnerability was found in Campcodes Student Grading System 1.0. It has been classified as critical. This affects an unknown part of the file /view_students.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-04 | 6.3 | CVE-2025-0212 |
| Coachify–Coachify |
Cross-Site Request Forgery (CSRF) vulnerability in Coachify Coachify allows Cross Site Request Forgery.This issue affects Coachify: from n/a through 1.0.7. | 2025-01-02 | 4.3 | CVE-2024-37417 |
| CoCart Headless, LLC–CoCart Headless ecommerce |
Missing Authorization vulnerability in CoCart Headless, LLC CoCart – Headless ecommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CoCart – Headless ecommerce: from n/a through 3.11.2. | 2025-01-02 | 5.3 | CVE-2023-47241 |
| code-projects–Chat System |
A vulnerability has been found in code-projects Chat System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/update_user.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-12-30 | 6.3 | CVE-2024-13035 |
| code-projects–Chat System |
A vulnerability was found in code-projects Chat System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/update_room.php. The manipulation of the argument id/name/password leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-12-30 | 6.3 | CVE-2024-13036 |
| code-projects–Chat System |
A vulnerability, which was classified as critical, was found in code-projects Chat System 1.0. Affected is an unknown function of the file /admin/deleteuser.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 6.3 | CVE-2025-0171 |
| code-projects–Chat System |
A vulnerability has been found in code-projects Chat System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/deleteroom.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 6.3 | CVE-2025-0172 |
| code-projects–Job Recruitment |
A vulnerability classified as critical was found in code-projects Job Recruitment 1.0. This vulnerability affects unknown code of the file /_parse/_call_job/search_ajax.php of the component Job Post Handler. The manipulation of the argument n leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 6.3 | CVE-2024-13092 |
| code-projects–Job Recruitment |
A vulnerability, which was classified as critical, has been found in code-projects Job Recruitment 1.0. This issue affects some unknown processing of the file /_parse/_call_main_search_ajax.php of the component Seeker Profile Handler. The manipulation of the argument s1 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 6.3 | CVE-2024-13093 |
| code-projects–Job Recruitment |
A vulnerability classified as critical has been found in code-projects Job Recruitment 1.0. This affects an unknown part of the file /_parse/_feedback_system.php. The manipulation of the argument person leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-01 | 6.3 | CVE-2025-0168 |
| code-projects–Online Shoe Store |
A vulnerability was found in code-projects Online Shoe Store 1.0. It has been rated as critical. This issue affects some unknown processing of the file /details.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-04 | 6.3 | CVE-2025-0204 |
| code-projects–Online Shoe Store |
A vulnerability classified as critical has been found in code-projects Online Shoe Store 1.0. Affected is an unknown function of the file /details2.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-04 | 6.3 | CVE-2025-0205 |
| code-projects–Online Shoe Store |
A vulnerability, which was classified as critical, was found in code-projects Online Shoe Store 1.0. This affects an unknown part of the file /summary.php. The manipulation of the argument tid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-04 | 6.3 | CVE-2025-0208 |
| code-projects–Online Shoe Store |
A vulnerability classified as critical was found in code-projects Online Shoe Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/index.php. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-04 | 5.3 | CVE-2025-0206 |
| code-projects–Point of Sales and Inventory Management System |
A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been classified as critical. This affects an unknown part of the file /user/search_result2.php of the component Parameter Handler. The manipulation of the argument search leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-03 | 6.3 | CVE-2025-0174 |
| code-projects–Point of Sales and Inventory Management System |
A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /user/add_cart.php. The manipulation of the argument id/qty leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-03 | 6.3 | CVE-2025-0176 |
| code-projects–Point of Sales and Inventory Management System |
A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /user/del_product.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-03 | 6.3 | CVE-2025-0195 |
| code-projects–Point of Sales and Inventory Management System |
A vulnerability classified as critical has been found in code-projects Point of Sales and Inventory Management System 1.0. This affects an unknown part of the file /user/plist.php. The manipulation of the argument cat leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-03 | 6.3 | CVE-2025-0196 |
| code-projects–Point of Sales and Inventory Management System |
A vulnerability classified as critical was found in code-projects Point of Sales and Inventory Management System 1.0. This vulnerability affects unknown code of the file /user/search.php. The manipulation of the argument name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-03 | 6.3 | CVE-2025-0197 |
| code-projects–Point of Sales and Inventory Management System |
A vulnerability, which was classified as critical, has been found in code-projects Point of Sales and Inventory Management System 1.0. This issue affects some unknown processing of the file /user/search_result.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-03 | 6.3 | CVE-2025-0198 |
| code-projects–Point of Sales and Inventory Management System |
A vulnerability, which was classified as critical, was found in code-projects Point of Sales and Inventory Management System 1.0. Affected is an unknown function of the file /user/minus_cart.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-03 | 6.3 | CVE-2025-0199 |
| code-projects–Point of Sales and Inventory Management System |
A vulnerability has been found in code-projects Point of Sales and Inventory Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /user/search_num.php. The manipulation of the argument search leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-04 | 6.3 | CVE-2025-0200 |
| code-projects–Point of Sales and Inventory Management System |
A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /user/update_account.php. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-04 | 6.3 | CVE-2025-0201 |
| code-projects–Responsive Hotel Site |
A vulnerability, which was classified as critical, was found in code-projects Responsive Hotel Site 1.0. Affected is an unknown function of the file /admin/print.php. The manipulation of the argument pid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 6.3 | CVE-2025-0230 |
| code-projects–Simple Chat System |
A vulnerability was found in code-projects Simple Chat System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /add_user.php. The manipulation of the argument name/email/password/number leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-12-30 | 6.3 | CVE-2024-13039 |
| code-projects–Student Management System |
A vulnerability was found in code-projects Student Management System 1.0. It has been declared as critical. This vulnerability affects the function showSubject1 of the file /config/DbFunction.php. The manipulation of the argument sid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-01-04 | 6.3 | CVE-2025-0203 |
| code-projects–Travel Management System |
A vulnerability, which was classified as critical, has been found in code-projects Travel Management System 1.0. This issue affects some unknown processing of the file /enquiry.php. The manipulation of the argument pid/t1/t2/t3/t4/t5/t6/t7 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 6.3 | CVE-2025-0229 |
| CodeAstro–Online Food Ordering System |
A vulnerability was found in CodeAstro Online Food Ordering System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/update_users.php of the component Update User Page. The manipulation of the argument user_upd leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 6.3 | CVE-2024-13070 |
| CodeAstro–Online Food Ordering System |
A vulnerability was found in CodeAstro Online Food Ordering System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/all_users.php of the component All Users Page. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 5.3 | CVE-2024-13067 |
| Codebard–CodeBard Help Desk |
Cross-Site Request Forgery (CSRF) vulnerability in Codebard CodeBard Help Desk allows Cross Site Request Forgery.This issue affects CodeBard Help Desk: from n/a through 1.1.1. | 2024-12-31 | 5.4 | CVE-2024-56222 |
| codedrafty–Mediabay |
Missing Authorization vulnerability in codedrafty Mediabay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mediabay: from n/a through 1.6. | 2025-01-02 | 4.3 | CVE-2023-46612 |
| CodePeople–Appointment Hour Booking |
Missing Authorization vulnerability in CodePeople Appointment Hour Booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appointment Hour Booking: from n/a through 1.4.23. | 2025-01-02 | 5.3 | CVE-2023-45649 |
| Codezips–Blood Bank Management System |
A vulnerability was found in Codezips Blood Bank Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /successadmin.php. The manipulation of the argument psw leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 6.3 | CVE-2025-0232 |
| Codezips–Gym Management System |
A vulnerability has been found in Codezips Gym Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /dashboard/admin/submit_payments.php. The manipulation of the argument m_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 6.3 | CVE-2025-0231 |
| Contest Gallery–Contest Gallery |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Contest Gallery Contest Gallery allows Stored XSS.This issue affects Contest Gallery: from n/a through 24.0.3. | 2025-01-02 | 5.9 | CVE-2024-56237 |
| ConvertCalculator–ConvertCalculator for WordPress |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ConvertCalculator ConvertCalculator for WordPress allows Stored XSS.This issue affects ConvertCalculator for WordPress: from n/a through 1.1.1. | 2025-01-02 | 6.5 | CVE-2024-56302 |
| CoolPlugins–Coins MarketCap |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in CoolPlugins Coins MarketCap allows DOM-Based XSS.This issue affects Coins MarketCap: from n/a through 5.5.8. | 2025-01-02 | 6.5 | CVE-2024-56257 |
| CoSchedule–Headline Analyzer |
Missing Authorization vulnerability in CoSchedule Headline Analyzer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Headline Analyzer: from n/a through 1.3.1. | 2025-01-02 | 6.5 | CVE-2023-46195 |
| Coupon Plugin–Coupon |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Coupon Plugin Coupon allows DOM-Based XSS.This issue affects Coupon: from n/a through 1.2.1. | 2024-12-31 | 6.5 | CVE-2024-56235 |
| CreativeThemes–Blocksy |
Cross-Site Request Forgery (CSRF) vulnerability in CreativeThemes Blocksy allows Cross Site Request Forgery.This issue affects Blocksy: from n/a through 2.0.22. | 2025-01-02 | 5.4 | CVE-2024-37469 |
| Creativthemes–Point |
Cross-Site Request Forgery (CSRF) vulnerability in Creativthemes Point allows Cross Site Request Forgery.This issue affects Point: from n/a through 1.1. | 2025-01-02 | 4.3 | CVE-2024-37931 |
| CusRev–Customer Reviews for WooCommerce |
Missing Authorization vulnerability in CusRev Customer Reviews for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Customer Reviews for WooCommerce: from n/a through 5.36.0. | 2025-01-02 | 4.3 | CVE-2023-45101 |
| Cyberlord92–Broken Link Checker | Finder |
Missing Authorization vulnerability in Cyberlord92 Broken Link Checker | Finder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broken Link Checker | Finder: from n/a through 2.4.2. | 2025-01-02 | 5.3 | CVE-2023-46082 |
| D-Link–DIR-816 A2 |
A vulnerability classified as critical was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. This vulnerability affects unknown code of the file /goform/DDNS of the component DDNS Service. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 5.3 | CVE-2024-13102 |
| D-Link–DIR-816 A2 |
A vulnerability, which was classified as critical, has been found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. This issue affects some unknown processing of the file /goform/form2AddVrtsrv.cgi of the component Virtual Service Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 5.3 | CVE-2024-13103 |
| D-Link–DIR-816 A2 |
A vulnerability, which was classified as critical, was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. Affected is an unknown function of the file /goform/form2AdvanceSetup.cgi of the component WiFi Settings Handler. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 5.3 | CVE-2024-13104 |
| D-Link–DIR-816 A2 |
A vulnerability has been found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /goform/form2Dhcpd.cgi of the component DHCPD Setting Handler. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 5.3 | CVE-2024-13105 |
| D-Link–DIR-816 A2 |
A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210 and classified as critical. Affected by this issue is some unknown functionality of the file /goform/form2IPQoSTcAdd of the component IP QoS Handler. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 5.3 | CVE-2024-13106 |
| D-Link–DIR-816 A2 |
A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. It has been classified as critical. This affects an unknown part of the file /goform/form2LocalAclEditcfg.cgi of the component ACL Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 5.3 | CVE-2024-13107 |
| D-Link–DIR-816 A2 |
A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. It has been declared as critical. This vulnerability affects unknown code of the file /goform/form2NetSniper.cgi. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 5.3 | CVE-2024-13108 |
| Dahua–IPC-HFW1200S |
A vulnerability classified as problematic has been found in Dahua IPC-HFW1200S, IPC-HFW2300R-Z, IPC-HFW5220E-Z and IPC-HDW1200S up to 20241222. This affects an unknown part of the file /web_caps/webCapsConfig of the component Web Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-01-05 | 5.3 | CVE-2024-13131 |
| Dahua–IPC-HFW1200S |
A vulnerability was found in Dahua IPC-HFW1200S, IPC-HFW2300R-Z, IPC-HFW5220E-Z and IPC-HDW1200S up to 20241222. It has been rated as problematic. Affected by this issue is some unknown functionality of the file ../mtd/Config/Sha1Account1 of the component Web Interface. The manipulation leads to path traversal: ‘../filedir’. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-01-05 | 4.3 | CVE-2024-13130 |
| Daniel Sderstrm / Sidney van de Stouwe–Subscribe to Category |
Missing Authorization vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe to Category: from n/a through 2.7.4. | 2025-01-02 | 4.3 | CVE-2022-43476 |
| David de Boer–Paytium |
Missing Authorization vulnerability in David de Boer Paytium.This issue affects Paytium: from n/a through 4.4.10. | 2024-12-31 | 4.3 | CVE-2024-51667 |
| Debuggers Studio–SaasPricing |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Debuggers Studio SaasPricing allows DOM-Based XSS.This issue affects SaasPricing: from n/a through 1.1.4. | 2024-12-31 | 6.5 | CVE-2024-56231 |
| DesertThemes–NewsMash |
Cross-Site Request Forgery (CSRF) vulnerability in DesertThemes NewsMash allows Cross Site Request Forgery.This issue affects NewsMash: from n/a through 1.0.34. | 2025-01-02 | 4.3 | CVE-2024-37441 |
| dglingren–Media Library Assistant |
The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘smc_settings_tab’, ‘unattachfixit-action’, and ‘woofixit-action’ parameters in all versions up to, and including, 3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-01-04 | 6.1 | CVE-2024-11974 |
| Dragfy–Dragfy Addons for Elementor |
Missing Authorization vulnerability in Dragfy Dragfy Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dragfy Addons for Elementor: from n/a through 1.0.2. | 2025-01-02 | 5.4 | CVE-2023-47661 |
| Ecreate Infotech–Auto Tag Creator |
Missing Authorization vulnerability in Ecreate Infotech Auto Tag Creator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Auto Tag Creator: from n/a through 1.0.2. | 2025-01-02 | 4.3 | CVE-2023-47523 |
| Elicus–WPMozo Addons Lite for Elementor |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Elicus WPMozo Addons Lite for Elementor allows Stored XSS.This issue affects WPMozo Addons Lite for Elementor: from n/a through 1.2.0. | 2024-12-31 | 6.5 | CVE-2024-56221 |
| Epsiloncool–WP Fast Total Search |
Cross-Site Request Forgery (CSRF) vulnerability in Epsiloncool WP Fast Total Search.This issue affects WP Fast Total Search: from n/a through 1.69.234. | 2025-01-02 | 4.3 | CVE-2024-38778 |
| Event Espresso–Event Espresso 4 Decaf |
Cross-Site Request Forgery (CSRF) vulnerability in Event Espresso Event Espresso 4 Decaf allows Cross Site Request Forgery.This issue affects Event Espresso 4 Decaf: from n/a through 5.0.28.decaf. | 2025-01-02 | 4.3 | CVE-2024-56251 |
| ExtendThemes–Highlight |
Cross-Site Request Forgery (CSRF) vulnerability in ExtendThemes Highlight allows Cross Site Request Forgery.This issue affects Highlight: from n/a through 1.0.29. | 2025-01-02 | 4.3 | CVE-2024-37458 |
| Faboba–Falang multilanguage |
Cross-Site Request Forgery (CSRF) vulnerability in Faboba Falang multilanguage allows Cross Site Request Forgery.This issue affects Falang multilanguage: from n/a through 1.3.51. | 2025-01-02 | 4.3 | CVE-2024-37240 |
| FameThemes–OnePress |
Cross-Site Request Forgery (CSRF) vulnerability in FameThemes OnePress allows Cross Site Request Forgery.This issue affects OnePress: from n/a through 2.3.6. | 2025-01-02 | 4.3 | CVE-2024-37448 |
| Farhan Noor–ApplyOnline Application Form Builder and Manager |
Missing Authorization vulnerability in Farhan Noor ApplyOnline – Application Form Builder and Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ApplyOnline – Application Form Builder and Manager: from n/a through 2.5.3. | 2025-01-02 | 4.3 | CVE-2023-46080 |
| Fatcat Apps–Landing Page Cat |
Missing Authorization vulnerability in Fatcat Apps Landing Page Cat.This issue affects Landing Page Cat: from n/a through 1.7.4. | 2024-12-31 | 5.4 | CVE-2024-49686 |
| FeedbackWP–kk Star Ratings |
Missing Authorization vulnerability in FeedbackWP kk Star Ratings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects kk Star Ratings: from n/a through 5.4.5. | 2025-01-02 | 5.3 | CVE-2023-46639 |
| FeedFocal–FeedFocal |
Missing Authorization vulnerability in FeedFocal FeedFocal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FeedFocal: from n/a through 1.2.2. | 2025-01-02 | 6.5 | CVE-2023-46609 |
| Flothemes–Flo Forms |
Missing Authorization vulnerability in Flothemes Flo Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flo Forms: from n/a through 1.0.41. | 2025-01-02 | 4.3 | CVE-2023-47692 |
| Freelancelot–Oceanic |
Cross-Site Request Forgery (CSRF) vulnerability in Freelancelot Oceanic allows Cross Site Request Forgery.This issue affects Oceanic: from n/a through 1.0.48. | 2025-01-02 | 4.3 | CVE-2024-38765 |
| Freshlight Lab–WP Mobile Menu |
Cross-Site Request Forgery (CSRF) vulnerability in Freshlight Lab WP Mobile Menu allows Cross Site Request Forgery.This issue affects WP Mobile Menu: from n/a through 2.8.4.3. | 2025-01-02 | 4.3 | CVE-2024-37274 |
| FS-code–FS Poster |
Cross-Site Request Forgery (CSRF) vulnerability in FS-code FS Poster allows Cross Site Request Forgery.This issue affects FS Poster: from n/a through 6.5.8. | 2025-01-02 | 4.3 | CVE-2024-37237 |
| Galleryape–Gallery Images Ape |
Missing Authorization vulnerability in Galleryape Gallery Images Ape allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gallery Images Ape: from n/a through 2.2.8. | 2025-01-02 | 4.3 | CVE-2022-41995 |
| Gavin Rehkemper–Inline Footnotes |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Gavin Rehkemper Inline Footnotes allows Stored XSS.This issue affects Inline Footnotes: from n/a through 2.3.0. | 2025-01-02 | 6.5 | CVE-2024-56019 |
| Gfazioli–WP Cleanfix |
Missing Authorization vulnerability in Gfazioli WP Cleanfix allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cleanfix: from n/a through 5.6.2. | 2024-12-31 | 5.3 | CVE-2023-48775 |
| GiveWP–GiveWP |
Missing Authorization vulnerability in GiveWP GiveWP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GiveWP: from n/a through 2.33.1. | 2025-01-02 | 5.3 | CVE-2023-47183 |
| Google–Android |
In wbrc_bt_dev_write of wb_regon_coordinator.c, there is a possible out of bounds write due to a buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | 6.7 | CVE-2024-53836 |
| Google–Android |
In GetCellInfoList() of protocolnetadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User Interaction is not needed for exploitation. | 2025-01-03 | 5.5 | CVE-2024-53839 |
| Greg Winiarski–WPAdverts Classifieds Plugin |
Cross-Site Request Forgery (CSRF) vulnerability in Greg Winiarski WPAdverts – Classifieds Plugin allows Cross Site Request Forgery.This issue affects WPAdverts – Classifieds Plugin: from n/a through 2.1.2. | 2025-01-02 | 4.3 | CVE-2024-37238 |
| Groundhogg Inc.–Groundhogg |
Cross-Site Request Forgery (CSRF) vulnerability in Groundhogg Inc. Groundhogg allows Cross Site Request Forgery.This issue affects Groundhogg: from n/a through 3.4.2.3. | 2025-01-02 | 4.3 | CVE-2024-37235 |
| GS Plugins–GS Coaches |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in GS Plugins GS Coaches allows Stored XSS.This issue affects GS Coaches: from n/a through 1.1.0. | 2025-01-02 | 6.5 | CVE-2024-56262 |
| GS Plugins–GS Shots for Dribbble |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in GS Plugins GS Shots for Dribbble allows DOM-Based XSS.This issue affects GS Shots for Dribbble: from n/a through 1.2.0. | 2025-01-02 | 6.5 | CVE-2024-56263 |
| GS Plugins–Project Showcase |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in GS Plugins Project Showcase allows Stored XSS.This issue affects Project Showcase: from n/a through 1.1.1. | 2025-01-02 | 6.5 | CVE-2024-56261 |
| gVectors Team–wpDiscuz |
Missing Authorization vulnerability in gVectors Team wpDiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through 7.6.10. | 2025-01-02 | 5.3 | CVE-2023-46309 |
| gVectors Team–wpDiscuz |
Missing Authorization vulnerability in gVectors Team wpDiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through 7.6.3. | 2025-01-02 | 4.3 | CVE-2023-45760 |
| Horea Radu–Mesmerize |
Cross-Site Request Forgery (CSRF) vulnerability in Horea Radu Mesmerize allows Cross Site Request Forgery.This issue affects Mesmerize: from n/a through 1.6.120. | 2025-01-02 | 4.3 | CVE-2024-37431 |
| IBM–Engineering Lifecycle Optimization Publishing |
IBM Engineering Lifecycle Optimization – Publishing 7.0.2 and 7.0.3 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system. | 2025-01-04 | 6.5 | CVE-2024-41765 |
| IBM–Engineering Lifecycle Optimization Publishing |
IBM Engineering Lifecycle Optimization – Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause an unhandled SSL exception which could leave the connection in an unexpected or insecure state. | 2025-01-04 | 6.5 | CVE-2024-41768 |
| IBM–Engineering Lifecycle Optimization Publishing |
IBM Engineering Lifecycle Optimization – Publishing 7.0.2 and 7.0.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 2025-01-04 | 5.9 | CVE-2024-41763 |
| IBM–i |
IBM PowerHA SystemMirror for i 7.4 and 7.5 contains improper restrictions when rendering content via iFrames. This vulnerability could allow an attacker to gain improper access and perform unauthorized actions on the system. | 2025-01-03 | 5.4 | CVE-2024-55896 |
| IBM–i |
IBM PowerHA SystemMirror for i 7.4 and 7.5 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | 2025-01-03 | 4.3 | CVE-2024-55897 |
| IBM–Jazz Foundation |
IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could could allow a physical user to obtain sensitive information due to not masking passwords during entry. | 2025-01-03 | 4.2 | CVE-2024-41780 |
| IBM–Jazz Foundation |
IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. | 2025-01-03 | 4.3 | CVE-2024-5591 |
| ibnuyahya–Category Post Shortcode |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ibnuyahya Category Post Shortcode allows Stored XSS.This issue affects Category Post Shortcode: from n/a through 2.4. | 2025-01-01 | 6.5 | CVE-2024-56021 |
| IDX–IMPress Listings |
Missing Authorization vulnerability in IDX IMPress Listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IMPress Listings: from n/a through 2.6.2. | 2025-01-02 | 6.5 | CVE-2023-45633 |
| imw3–My Wp Brand Hide menu & Hide Plugin |
Missing Authorization vulnerability in imw3 My Wp Brand – Hide menu & Hide Plugin.This issue affects My Wp Brand – Hide menu & Hide Plugin: from n/a through 1.1.2. | 2024-12-31 | 5.3 | CVE-2024-49694 |
| IOBit–Protected Folder |
A vulnerability has been found in IOBit Protected Folder up to 1.3.0 and classified as problematic. This vulnerability affects the function 0x22200c in the library pffilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-01-05 | 5.5 | CVE-2025-0221 |
| IObit–Protected Folder |
A vulnerability was found in IObit Protected Folder up to 13.6.0.5 and classified as problematic. This issue affects the function 0x8001E000/0x8001E004 in the library IUProcessFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-01-05 | 5.5 | CVE-2025-0222 |
| IObit–Protected Folder |
A vulnerability was found in IObit Protected Folder up to 13.6.0.5. It has been classified as problematic. Affected is the function 0x8001E000/0x8001E00C/0x8001E004/0x8001E010 in the library IURegistryFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-01-05 | 5.5 | CVE-2025-0223 |
| Jakob Bouchard–Hestia Nginx Cache |
Missing Authorization vulnerability in Jakob Bouchard Hestia Nginx Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hestia Nginx Cache: from n/a through 2.4.0. | 2025-01-02 | 4.3 | CVE-2024-56236 |
| JoomUnited–WP Table Manager |
Missing Authorization vulnerability in JoomUnited WP Table Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Table Manager: from n/a through 3.5.2. | 2025-01-02 | 5.3 | CVE-2022-47601 |
| Jose Mortellaro–Freesoul Deactivate Plugins Plugin manager and cleanup |
Missing Authorization vulnerability in Jose Mortellaro Freesoul Deactivate Plugins – Plugin manager and cleanup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Freesoul Deactivate Plugins – Plugin manager and cleanup: from n/a through 2.1.3. | 2025-01-02 | 4.3 | CVE-2023-46188 |
| JS Morisset–WPSSO Core |
Missing Authorization vulnerability in JS Morisset WPSSO Core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSSO Core: from n/a through 18.18.1. | 2025-01-02 | 4.3 | CVE-2024-56243 |
| JustCoded / Alex Prokopenko–Just Custom Fields |
Missing Authorization vulnerability in JustCoded / Alex Prokopenko Just Custom Fields allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Just Custom Fields: from n/a through 3.3.2. | 2025-01-02 | 4.3 | CVE-2023-46203 |
| justin_k–WP Social AutoConnect |
The WP Social AutoConnect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-01-04 | 6.1 | CVE-2024-12279 |
| KaizenCoders–Short URL |
Missing Authorization vulnerability in KaizenCoders Short URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Short URL: from n/a through 1.6.8. | 2025-01-02 | 5.4 | CVE-2023-47225 |
| Kali Forms–Contact Form builder with drag & drop – Kali Forms |
Missing Authorization vulnerability in Kali Forms Contact Form builder with drag & drop – Kali Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form builder with drag & drop – Kali Forms: from n/a through 2.3.28. | 2025-01-02 | 6.5 | CVE-2023-45275 |
| Kali Forms–Contact Form builder with drag & drop – Kali Forms |
Missing Authorization vulnerability in Kali Forms Contact Form builder with drag & drop – Kali Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form builder with drag & drop – Kali Forms: from n/a through 2.3.27. | 2025-01-02 | 5.3 | CVE-2023-46083 |
| khoj-ai–khoj |
Khoj is a self-hostable artificial intelligence app. Prior to version 1.29.10, an Insecure Direct Object Reference (IDOR) vulnerability in the update_subscription endpoint allows any authenticated user to manipulate other users’ Stripe subscriptions by simply modifying the email parameter in the request. The vulnerability exists in the subscription endpoint at `/api/subscription`. The endpoint uses an email parameter as a direct reference to user subscriptions without verifying object ownership. While authentication is required, there is no authorization check to verify if the authenticated user owns the referenced subscription. The issue was fixed in version 1.29.10. Support for arbitrarily presenting an email for update has been deprecated. | 2024-12-30 | 4.3 | CVE-2024-52294 |
| Kishor Khambu–WP Custom Widget area |
Missing Authorization vulnerability in Kishor Khambu WP Custom Widget area allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Widget area: from n/a through 1.2.5. | 2025-01-02 | 5.4 | CVE-2023-45045 |
| Labib Ahmed–Animated Rotating Words |
Missing Authorization vulnerability in Labib Ahmed Animated Rotating Words allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Animated Rotating Words: from n/a through 5.4. | 2025-01-02 | 5.4 | CVE-2023-47187 |
| Labib Ahmed–Animated Rotating Words |
Cross-Site Request Forgery (CSRF) vulnerability in Labib Ahmed Animated Rotating Words allows Cross Site Request Forgery.This issue affects Animated Rotating Words: from n/a through 5.6. | 2025-01-02 | 4.3 | CVE-2024-38753 |
| Leaky Paywall–Leaky Paywall |
Cross-Site Request Forgery (CSRF) vulnerability in Leaky Paywall Leaky Paywall allows Cross Site Request Forgery.This issue affects Leaky Paywall: from n/a through 4.21.2. | 2025-01-02 | 4.3 | CVE-2024-37540 |
| Leap13–Premium Addons for Elementor |
Missing Authorization vulnerability in Leap13 Premium Addons for Elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Premium Addons for Elementor: from n/a through 4.10.56. | 2024-12-31 | 5.4 | CVE-2024-56225 |
| Leap13–Premium Blocks Gutenberg Blocks for WordPress |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Leap13 Premium Blocks – Gutenberg Blocks for WordPress allows Stored XSS.This issue affects Premium Blocks – Gutenberg Blocks for WordPress: from n/a through 2.1.42. | 2025-01-02 | 6.5 | CVE-2024-56245 |
| LearningTimes–BadgeOS |
Missing Authorization vulnerability in LearningTimes BadgeOS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BadgeOS: from n/a through 3.7.1.6. | 2025-01-02 | 4.3 | CVE-2023-47647 |
| Ledenbeheer–Ledenbeheer |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Ledenbeheer allows Stored XSS.This issue affects Ledenbeheer: from n/a through 2.1.0. | 2024-12-31 | 6.5 | CVE-2024-56224 |
| Liquid Web / StellarWP–GiveWP |
Missing Authorization vulnerability in Liquid Web / StellarWP GiveWP.This issue affects GiveWP: from n/a through 2.25.1. | 2025-01-02 | 5.4 | CVE-2023-23672 |
| LuckyWP–LuckyWP Scripts Control |
Missing Authorization vulnerability in LuckyWP LuckyWP Scripts Control allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LuckyWP Scripts Control: from n/a through 1.2.1. | 2025-01-02 | 4.3 | CVE-2023-47778 |
| Magazine3–Google Adsense & Banner Ads by AdsforWP |
Cross-Site Request Forgery (CSRF) vulnerability in Magazine3 Google Adsense & Banner Ads by AdsforWP allows Cross Site Request Forgery.This issue affects Google Adsense & Banner Ads by AdsforWP: from n/a through 1.9.28. | 2025-01-02 | 4.3 | CVE-2024-38751 |
| Marco Milesi–Telegram Bot & Channel |
Cross-Site Request Forgery (CSRF) vulnerability in Marco Milesi Telegram Bot & Channel allows Cross Site Request Forgery.This issue affects Telegram Bot & Channel: from n/a through 3.8.2. | 2025-01-02 | 5.4 | CVE-2024-38789 |
| Mario Di Pasquale–SvegliaT Buttons |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Mario Di Pasquale SvegliaT Buttons allows Stored XSS.This issue affects SvegliaT Buttons: from n/a through 1.3.0. | 2025-01-01 | 6.5 | CVE-2024-56020 |
| MarketingFire–Widget Options |
Missing Authorization vulnerability in MarketingFire Widget Options allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Widget Options: from n/a through 4.0.6.1. | 2024-12-31 | 4.3 | CVE-2024-56219 |
| Marsian–i-amaze |
Cross-Site Request Forgery (CSRF) vulnerability in Marsian i-amaze allows Cross Site Request Forgery.This issue affects i-amaze: from n/a through 1.3.7. | 2025-01-02 | 4.3 | CVE-2024-38731 |
| Marsian–i-transform |
Cross-Site Request Forgery (CSRF) vulnerability in Marsian allows Cross Site Request Forgery.This issue affects i-transform: from n/a through 3.0.9. | 2025-01-02 | 4.3 | CVE-2024-38764 |
| Martin Gibson–WP Custom Admin Interface |
Missing Authorization vulnerability in Martin Gibson WP Custom Admin Interface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Admin Interface: from n/a through 7.32. | 2025-01-02 | 4.3 | CVE-2023-44988 |
| Mashov–Mashov |
Mashov – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | 2024-12-30 | 5.3 | CVE-2024-47923 |
| Matomo–Matomo Analytics |
Cross-Site Request Forgery (CSRF) vulnerability in Matomo Matomo Analytics allows Cross Site Request Forgery.This issue affects Matomo Analytics: from n/a through 5.1.1. | 2025-01-02 | 4.3 | CVE-2024-38766 |
| MBE Worldwide S.p.A.–MBE eShip |
Cross-Site Request Forgery (CSRF) vulnerability in MBE Worldwide S.p.A. MBE eShip allows Cross Site Request Forgery.This issue affects MBE eShip: from n/a through 2.1.2. | 2025-01-02 | 5.4 | CVE-2024-38729 |
| Metorik–Metorik Reports & Email Automation for WooCommerce |
Cross-Site Request Forgery (CSRF) vulnerability in Metorik Metorik – Reports & Email Automation for WooCommerce allows Cross Site Request Forgery.This issue affects Metorik – Reports & Email Automation for WooCommerce: from n/a through 1.7.1. | 2025-01-02 | 4.3 | CVE-2024-38691 |
| moveaddons–Move Addons for Elementor |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in moveaddons Move Addons for Elementor allows Stored XSS.This issue affects Move Addons for Elementor: from n/a through 1.3.6. | 2025-01-02 | 6.5 | CVE-2024-56254 |
| MyThemeShop–Schema Lite |
Cross-Site Request Forgery (CSRF) vulnerability in MyThemeShop Schema Lite allows Cross Site Request Forgery.This issue affects Schema Lite: from n/a through 1.2.2. | 2025-01-02 | 4.3 | CVE-2024-37452 |
| n/a–n/a |
FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library allowing for an integer overflow, potentially resulting in a denial-of-service (DoS) condition or other undefined behavior. | 2025-01-03 | 6.2 | CVE-2024-36613 |
| n/a–n/a |
The Net::EasyTCP package before 0.15 for Perl always uses Perl’s builtin rand(), which is not a strong random number generator, for cryptographic keys. | 2025-01-02 | 5.4 | CVE-2002-20002 |
| n/a–n/a |
The Net::EasyTCP package 0.15 through 0.26 for Perl uses Perl’s builtin rand() if no strong randomization module is present. | 2025-01-02 | 5.4 | CVE-2024-56830 |
| n/a–n/a |
Cross Site Scripting vulnerability in Audiocodes MP-202b v.4.4.3 allows a remote attacker to escalate privileges via the login page of the web interface. | 2025-01-02 | 4.7 | CVE-2024-48197 |
| n/a–n/a |
Landray EIS 2001 through 2006 allows Message/fi_message_receiver.aspx?replyid= SQL injection. | 2025-01-02 | 4.3 | CVE-2025-22214 |
| nik00726–Photo Gallery Slideshow & Masonry Tiled Gallery |
The Photo Gallery Slideshow & Masonry Tiled Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.15 via the rjg_get_youtube_info_justified_gallery_callback function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to retrieve limited information from internal services. | 2025-01-03 | 4.3 | CVE-2024-12237 |
| Nitesh Singh–Ultimate Auction |
Cross-Site Request Forgery (CSRF) vulnerability in Nitesh Singh Ultimate Auction allows Cross Site Request Forgery.This issue affects Ultimate Auction : from n/a through 4.2.5. | 2025-01-02 | 4.3 | CVE-2024-37543 |
| nofearinc–DX Delete Attached Media |
Missing Authorization vulnerability in nofearinc DX Delete Attached Media allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DX Delete Attached Media: from n/a through 2.0.5.1. | 2025-01-02 | 5.3 | CVE-2023-46073 |
| NSquared–Draw Attention |
Missing Authorization vulnerability in NSquared Draw Attention allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Draw Attention: from n/a through 2.0.15. | 2025-01-02 | 5.4 | CVE-2023-46616 |
| pglombardo–PasswordPusher |
Password Pusher is an open source application to communicate sensitive information over the web. A vulnerability has been reported in versions 1.50.3 and prior where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user’s session until the token expires or is manually cleared. This vulnerability hinges on the attacker’s ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim’s device. Although there is no direct resolution to this vulnerability, it is recommended to always use the latest version of Password Pusher to best mitigate risk. If self-hosting, ensure Password Pusher is hosted exclusively over SSL connections to encrypt traffic and prevent session cookies from being intercepted in transit. Additionally, implement best practices in local security to safeguard user systems, browsers, and data against unauthorized access. | 2024-12-30 | 5.7 | CVE-2024-56733 |
| PHPGurukul–Land Record System |
A vulnerability has been found in PHPGurukul Land Record System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 6.3 | CVE-2024-13078 |
| PHPGurukul–Land Record System |
A vulnerability was found in PHPGurukul Land Record System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/property-details.php. The manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 6.3 | CVE-2024-13079 |
| PHPGurukul–Land Record System |
A vulnerability classified as critical was found in PHPGurukul Land Record System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/search-property.php. The manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 6.3 | CVE-2024-13084 |
| Poll Maker Team–Poll Maker |
Missing Authorization vulnerability in Poll Maker Team Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll Maker: from n/a through 4.7.1. | 2025-01-02 | 5.3 | CVE-2023-45766 |
| Porthas Inc.–Contact Form, Survey & Form Builder MightyForms |
Missing Authorization vulnerability in Porthas Inc. Contact Form, Survey & Form Builder – MightyForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form, Survey & Form Builder – MightyForms: from n/a through 1.3.9. | 2024-12-31 | 6.4 | CVE-2024-56002 |
| Porto Theme–Porto Theme – Functionality |
Missing Authorization vulnerability in Porto Theme Porto Theme – Functionality allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Porto Theme – Functionality: from n/a before 2.12.1. | 2025-01-02 | 5.3 | CVE-2023-48739 |
| POSIMYTH–Nexter Blocks |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in POSIMYTH Nexter Blocks allows DOM-Based XSS.This issue affects Nexter Blocks: from n/a through 4.0.4. | 2025-01-02 | 6.5 | CVE-2024-56246 |
| PressTigers–Simple Job Board |
Missing Authorization vulnerability in PressTigers Simple Job Board allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Job Board: from n/a through 2.10.5. | 2025-01-02 | 5.3 | CVE-2023-47188 |
| PriceListo–Best Restaurant Menu by PriceListo |
Missing Authorization vulnerability in PriceListo Best Restaurant Menu by PriceListo.This issue affects Best Restaurant Menu by PriceListo: from n/a through 1.4.2. | 2024-12-31 | 4.3 | CVE-2024-49698 |
| Progress Software Corporation–WhatsUp Gold |
In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure. | 2024-12-31 | 6.5 | CVE-2024-12105 |
| Pronamic–Pronamic Google Maps |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Pronamic Pronamic Google Maps allows Stored XSS.This issue affects Pronamic Google Maps: from n/a through 2.3.2. | 2025-01-02 | 6.5 | CVE-2024-56240 |
| Provision-ISR–SH-4050A-2 |
A vulnerability was found in Provision-ISR SH-4050A-2, SH-4100A-2L(MM), SH-8100A-2L(MM), SH-16200A-2(1U), SH-16200A-5(1U) and NVR5-8200PX up to 20241220. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /server.js. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 5.3 | CVE-2025-0224 |
| Putler / Storeapps–Putler Connector for WooCommerce |
Missing Authorization vulnerability in Putler / Storeapps Putler Connector for WooCommerce.This issue affects Putler Connector for WooCommerce: from n/a through 2.12.0. | 2025-01-02 | 6.5 | CVE-2023-40327 |
| quillforms.com–Quill Forms |
Missing Authorization vulnerability in quillforms.com Quill Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quill Forms: from n/a through 3.3.0. | 2025-01-02 | 6.5 | CVE-2023-46610 |
| QunatumCloud–Floating Action Buttons |
Missing Authorization vulnerability in QunatumCloud Floating Action Buttons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Floating Action Buttons: from n/a through 0.9.1. | 2025-01-02 | 5.3 | CVE-2024-56238 |
| Rara Theme–Benevolent |
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Benevolent allows Cross Site Request Forgery.This issue affects Benevolent: from n/a through 1.3.4. | 2025-01-02 | 4.3 | CVE-2024-37450 |
| Rara Theme–Chic Lite |
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Chic Lite allows Cross Site Request Forgery.This issue affects Chic Lite: from n/a through 1.1.3. | 2025-01-02 | 4.3 | CVE-2024-37104 |
| Rara Theme–Construction Landing Page |
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Construction Landing Page allows Cross Site Request Forgery.This issue affects Construction Landing Page: from n/a through 1.3.5. | 2025-01-02 | 4.3 | CVE-2024-37508 |
| Rara Theme–Education Zone |
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Education Zone allows Cross Site Request Forgery.This issue affects Education Zone: from n/a through 1.3.4. | 2025-01-02 | 4.3 | CVE-2024-37103 |
| Rara Theme–Elegant Pink |
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Elegant Pink allows Cross Site Request Forgery.This issue affects Elegant Pink: from n/a through 1.3.0. | 2025-01-02 | 4.3 | CVE-2024-37426 |
| Rara Theme–JobScout |
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme JobScout allows Cross Site Request Forgery.This issue affects JobScout: from n/a through 1.1.4. | 2025-01-02 | 4.3 | CVE-2024-37421 |
| Rara Theme–Lawyer Landing Page |
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Lawyer Landing Page allows Cross Site Request Forgery.This issue affects Lawyer Landing Page: from n/a through 1.2.4. | 2025-01-02 | 4.3 | CVE-2024-37503 |
| Rara Theme–Perfect Portfolio |
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Perfect Portfolio allows Cross Site Request Forgery.This issue affects Perfect Portfolio: from n/a through 1.2.0. | 2025-01-02 | 4.3 | CVE-2024-37435 |
| Rara Theme–Preschool and Kindergarten |
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Preschool and Kindergarten allows Cross Site Request Forgery.This issue affects Preschool and Kindergarten: from n/a through 1.2.1. | 2025-01-02 | 4.3 | CVE-2024-37413 |
| Rara Theme–Rara Business |
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Rara Business allows Cross Site Request Forgery.This issue affects Rara Business: from n/a through 1.2.5. | 2025-01-02 | 4.3 | CVE-2024-37937 |
| Rara Theme–Travel Agency |
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Travel Agency allows Cross Site Request Forgery.This issue affects Travel Agency: from n/a through 1.4.9. | 2025-01-02 | 4.3 | CVE-2024-37451 |
| Red Hat–Red Hat Fuse 7 |
A flaw was found in FFmpeg’s TTY Demuxer. This vulnerability allows possible data exfiltration via improper parsing of non-TTY-compliant input files in HLS playlists. | 2024-12-31 | 5.3 | CVE-2023-6602 |
| Red Hat–Red Hat Fuse 7 |
A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service. | 2025-01-02 | 5.9 | CVE-2024-8447 |
| RedLettuce Plugins–WP Word Count |
Missing Authorization vulnerability in RedLettuce Plugins WP Word Count allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Word Count: from n/a through 3.2.4. | 2025-01-02 | 4.3 | CVE-2023-46628 |
| Repuso–Social proof testimonials and reviews by Repuso |
Missing Authorization vulnerability in Repuso Social proof testimonials and reviews by Repuso allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Social proof testimonials and reviews by Repuso: from n/a through 4.97. | 2025-01-02 | 4.3 | CVE-2023-46196 |
| Repute InfoSystems–ARMember Premium |
Missing Authorization vulnerability in Repute InfoSystems ARMember Premium allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ARMember Premium: from n/a through 5.9.2. | 2025-01-02 | 4.3 | CVE-2023-39994 |
| RevenueHunt–Product Recommendation Quiz for eCommerce |
Missing Authorization vulnerability in RevenueHunt Product Recommendation Quiz for eCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Recommendation Quiz for eCommerce: from n/a through 2.1.2. | 2025-01-02 | 6.5 | CVE-2023-46631 |
| RumbleTalk Ltd–RumbleTalk Live Group Chat |
Missing Authorization vulnerability in RumbleTalk Ltd RumbleTalk Live Group Chat allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RumbleTalk Live Group Chat: from n/a through 6.2.5. | 2025-01-02 | 5.4 | CVE-2023-45828 |
| Ruslan Suhar–Convertful Your Ultimate On-Site Conversion Tool |
Missing Authorization vulnerability in Ruslan Suhar Convertful – Your Ultimate On-Site Conversion Tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Convertful – Your Ultimate On-Site Conversion Tool: from n/a through 2.5. | 2025-01-02 | 5.3 | CVE-2023-46605 |
| Samsung Mobile–Samsung Mobile Devices |
Protection Mechanism Failure in bootloader prior to SMR Oct-2024 Release 1 allows physical attackers to reset lockscreen failure count by hardware fault injection. User interaction is required for triggering this vulnerability. | 2024-12-31 | 5.2 | CVE-2024-49422 |
| Saurav Sharma–Generate Dummy Posts |
Missing Authorization vulnerability in Saurav Sharma Generate Dummy Posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Generate Dummy Posts: from n/a through 1.0.0. | 2025-01-02 | 5.3 | CVE-2023-46637 |
| Schema App–Schema App Structured Data |
Missing Authorization vulnerability in Schema App Schema App Structured Data allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schema App Structured Data: from n/a through 1.23.1. | 2025-01-02 | 5.3 | CVE-2023-44258 |
| Searchiq–SearchIQ |
Cross-Site Request Forgery (CSRF) vulnerability in Searchiq SearchIQ.This issue affects SearchIQ: from n/a through 4.6. | 2024-12-31 | 4.3 | CVE-2024-56229 |
| Seers–Seers |
Missing Authorization vulnerability in Seers Seers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seers: from n/a through 8.1.1. | 2025-01-02 | 5.3 | CVE-2023-47515 |
| SKT Themes–Posterity |
Cross-Site Request Forgery (CSRF) vulnerability in SKT Themes Posterity allows Cross Site Request Forgery.This issue affects Posterity: from n/a through 3.3. | 2025-01-02 | 4.3 | CVE-2024-37493 |
| smartersite–WP Compress Instant Performance & Speed Optimization |
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘custom_server’ parameter in all versions up to, and including, 6.30.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-01-04 | 6.1 | CVE-2024-12047 |
| Smartsupp–Smartsupp live chat, chatbots, AI and lead generation |
Cross-Site Request Forgery (CSRF) vulnerability in Smartsupp Smartsupp – live chat, chatbots, AI and lead generation allows Cross Site Request Forgery.This issue affects Smartsupp – live chat, chatbots, AI and lead generation: from n/a through 3.6. | 2025-01-02 | 6.5 | CVE-2024-38790 |
| Sonaar Music–MP3 Audio Player for Music, Radio & Podcast by Sonaar |
Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 5.8. | 2025-01-02 | 6.3 | CVE-2024-56266 |
| SourceCodester–Online Eyewear Shop |
A vulnerability was found in SourceCodester Online Eyewear Shop 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /orders/view_order.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-02 | 6.3 | CVE-2025-0173 |
| Stephen Sherrard–Member Directory and Contact Form |
Missing Authorization vulnerability in Stephen Sherrard Member Directory and Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Member Directory and Contact Form: from n/a through 1.7.0. | 2024-12-31 | 4.3 | CVE-2024-56215 |
| StoreApps–Smart Manager |
Missing Authorization vulnerability in StoreApps Smart Manager.This issue affects Smart Manager: from n/a through 8.45.0. | 2024-12-31 | 4.3 | CVE-2024-49687 |
| StorePlugin–ShopElement |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in StorePlugin ShopElement allows Stored XSS.This issue affects ShopElement: from n/a through 2.0.0. | 2025-01-02 | 6.5 | CVE-2024-56260 |
| StylemixThemes–MasterStudy LMS |
Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes MasterStudy LMS allows Cross Site Request Forgery.This issue affects MasterStudy LMS: from n/a through 3.2.1. | 2025-01-02 | 4.3 | CVE-2024-37093 |
| supsystic.com–Data Tables Generator by Supsystic |
Missing Authorization vulnerability in supsystic.com Data Tables Generator by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Data Tables Generator by Supsystic: from n/a through 1.10.36. | 2025-01-02 | 5.4 | CVE-2024-56253 |
| SWTE–Swift Performance Lite |
Cross-Site Request Forgery (CSRF) vulnerability in SWTE Swift Performance Lite allows Cross Site Request Forgery.This issue affects Swift Performance Lite: from n/a through 2.3.6.20. | 2025-01-02 | 4.3 | CVE-2024-37511 |
| Tagbox–Taggbox |
Cross-Site Request Forgery (CSRF) vulnerability in Tagbox Taggbox allows Cross Site Request Forgery.This issue affects Taggbox: from n/a through 3.3. | 2025-01-02 | 4.3 | CVE-2024-38754 |
| taskbuilder–Taskbuilder WordPress Project & Task Management plugin |
The Taskbuilder – WordPress Project & Task Management plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s wppm_tasks shortcode in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-01-04 | 6.4 | CVE-2024-11930 |
| TCBarrett–Glossary |
Missing Authorization vulnerability in TCBarrett Glossary allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Glossary: from n/a through 3.1.2. | 2025-01-02 | 5.4 | CVE-2023-46633 |
| TCS–BaNCS |
A vulnerability was found in TCS BaNCS 10. It has been classified as problematic. This affects an unknown part of the file /REPORTS/REPORTS_SHOW_FILE.jsp. The manipulation of the argument FilePath leads to file inclusion. | 2025-01-04 | 5.5 | CVE-2025-0202 |
| TeamPass–TeamPass |
TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager. | 2024-12-30 | 5.4 | CVE-2024-50702 |
| TeamPass–TeamPass |
TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id. | 2024-12-30 | 5.4 | CVE-2024-50703 |
| TeamPass–TeamPass |
TeamPass before 3.1.3.1, when retrieving information about access rights for a folder, does not properly check whether a folder is in a user’s allowed folders list that has been defined by an admin. | 2024-12-30 | 4.3 | CVE-2024-50701 |
| The Events Calendar–Event Tickets |
Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar Event Tickets allows Cross Site Request Forgery.This issue affects Event Tickets: from n/a through 5.11.0.4. | 2025-01-02 | 4.3 | CVE-2024-38762 |
| The Events Calendar–The Events Calendar |
Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar The Events Calendar allows Cross Site Request Forgery.This issue affects The Events Calendar: from n/a through 6.5.1.4. | 2025-01-02 | 4.3 | CVE-2024-37518 |
| ThemeIsle–Hestia |
Cross-Site Request Forgery (CSRF) vulnerability in ThemeIsle Hestia allows Cross Site Request Forgery.This issue affects Hestia: from n/a through 3.1.2. | 2025-01-02 | 4.3 | CVE-2024-37467 |
| ThemeLooks–Enter Addons |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeLooks Enter Addons allows Stored XSS.This issue affects Enter Addons: from n/a through 2.1.9. | 2025-01-02 | 6.5 | CVE-2024-56252 |
| Themes4WP–Popularis Verse |
Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Verse allows Cross Site Request Forgery.This issue affects Popularis Verse: from n/a through 1.1.1. | 2025-01-02 | 4.3 | CVE-2024-38763 |
| Themewinter–Eventin |
Path Traversal: ‘…/…//’ vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.7. | 2024-12-31 | 6.5 | CVE-2024-56213 |
| Themify–Themify Audio Dock |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Themify Themify Audio Dock allows Stored XSS.This issue affects Themify Audio Dock: from n/a through 2.0.4. | 2025-01-02 | 6.5 | CVE-2024-56239 |
| Themify–Themify Builder |
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Themify Themify Builder allows PHP Local File Inclusion.This issue affects Themify Builder: from n/a through 7.6.3. | 2024-12-31 | 6.5 | CVE-2024-56216 |
| thorsten–phpMyFAQ |
phpMyFAQ is an open source FAQ web application. Starting no later than version 3.2.10 and prior to version 4.0.2, an attacker can inject malicious HTML content into the FAQ editor at `http[:]//localhost/admin/index[.]php?action=editentry`, resulting in a complete disruption of the FAQ page’s user interface. By injecting malformed HTML elements styled to cover the entire screen, an attacker can render the page unusable. This injection manipulates the page structure by introducing overlapping buttons, images, and iframes, breaking the intended layout and functionality. Exploiting this issue can lead to Denial of Service for legitimate users, damage to the user experience, and potential abuse in phishing or defacement attacks. Version 4.0.2 contains a patch for the vulnerability. | 2025-01-02 | 5.2 | CVE-2024-56199 |
| Tiki Wiki–CMS |
Tiki Wiki CMS – CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | 2024-12-30 | 6.1 | CVE-2024-47918 |
| Till Krss–Email Address Encoder |
Cross-Site Request Forgery (CSRF) vulnerability in Till Krüss Email Address Encoder allows Cross Site Request Forgery.This issue affects Email Address Encoder: from n/a through 1.0.23. | 2025-01-02 | 4.3 | CVE-2024-43927 |
| Tim Whitlock–Loco Translate |
Cross-Site Request Forgery (CSRF) vulnerability in Tim Whitlock Loco Translate allows Cross Site Request Forgery.This issue affects Loco Translate: from n/a through 2.6.9. | 2025-01-02 | 4.3 | CVE-2024-37236 |
| TMD–Custom Header Menu |
A vulnerability was found in TMD Custom Header Menu 4.0.0.1 on OpenCart. It has been rated as problematic. This issue affects some unknown processing of the file /admin/index.php. The manipulation of the argument headermenu_id leads to sql injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | 2025-01-04 | 4.1 | CVE-2025-0214 |
| Toast Plugins–Animator |
Missing Authorization vulnerability in Toast Plugins Animator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Animator: from n/a through 3.0.10. | 2025-01-02 | 6.5 | CVE-2023-47689 |
| Torod Holding LTD–Torod |
Missing Authorization vulnerability in Torod Holding LTD Torod allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Torod: from n/a through 1.7. | 2024-12-31 | 6.5 | CVE-2024-55995 |
| Trend Micro, Inc.–Trend Micro Deep Security |
An incorrect permissions assignment vulnerability in Trend Micro Deep Security 20.0 agents between versions 20.0.1-9400 and 20.0.1-23340 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2024-12-31 | 6.7 | CVE-2024-55955 |
| Trend Micro, Inc.–Trend Micro ID Security |
Trend Micro ID Security, version 3.0 and below contains a vulnerability that could allow an attacker to send an unlimited number of email verification requests without any restriction, potentially leading to abuse or denial of service. | 2024-12-31 | 6.5 | CVE-2024-53647 |
| Tsinghua Unigroup–Electronic Archives Management System |
A vulnerability was found in Tsinghua Unigroup Electronic Archives Management System 3.2.210802(62532). It has been classified as problematic. Affected is the function download of the file /Searchnew/Subject/download.html. The manipulation of the argument path leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-12-30 | 4.3 | CVE-2024-13042 |
| Tsinghua Unigroup–Electronic Archives System |
A vulnerability classified as problematic was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this vulnerability is an unknown functionality of the file /setting/ClassFy/exampleDownload.html. The manipulation of the argument name leads to path traversal: ‘/../filedir’. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 4.3 | CVE-2025-0225 |
| Tsinghua Unigroup–Electronic Archives System |
A vulnerability, which was classified as problematic, has been found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this issue is the function download of the file /collect/PortV4/downLoad.html. The manipulation of the argument path leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 4.3 | CVE-2025-0226 |
| Tsinghua Unigroup–Electronic Archives System |
A vulnerability, which was classified as problematic, was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). This affects an unknown part of the file /Logs/Annals/downLoad.html. The manipulation of the argument path leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 4.3 | CVE-2025-0227 |
| Tyche Softwares–Arconix Shortcodes |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Tyche Softwares Arconix Shortcodes allows Stored XSS.This issue affects Arconix Shortcodes: from n/a through 2.1.14. | 2025-01-02 | 6.5 | CVE-2024-56242 |
| Uncanny Owl–Uncanny Toolkit Pro for LearnDash |
Cross-Site Request Forgery (CSRF) vulnerability in Uncanny Owl Uncanny Toolkit Pro for LearnDash allows Cross Site Request Forgery.This issue affects Uncanny Toolkit Pro for LearnDash: from n/a before 4.1.4.1. | 2025-01-02 | 5.4 | CVE-2024-37438 |
| Unknown–TravelTour |
The does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-01-01 | 6.1 | CVE-2024-11846 |
| vercel–next.js |
Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds. | 2025-01-03 | 5.3 | CVE-2024-56332 |
| Veritas–Data Insight |
Veritas / Arctera Data Insight before 7.1.1 allows Application Administrators to conduct SQL injection attacks. | 2024-12-30 | 6.5 | CVE-2024-46542 |
| VolThemes–Patricia Blog |
Cross-Site Request Forgery (CSRF) vulnerability in VolThemes Patricia Blog allows Cross Site Request Forgery.This issue affects Patricia Blog: from n/a through 1.2. | 2025-01-02 | 4.3 | CVE-2024-38732 |
| VW THEMES–VW Automobile Lite |
Missing Authorization vulnerability in VW THEMES VW Automobile Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Automobile Lite: from n/a through 2.1. | 2024-12-31 | 5.4 | CVE-2024-56234 |
| W3 Eden, Inc.–Download Manager |
Missing Authorization vulnerability in W3 Eden, Inc. Download Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Manager: from n/a through 3.3.03. | 2024-12-31 | 4.3 | CVE-2024-56217 |
| wangl1989–mysiteforme |
A vulnerability was found in wangl1989 mysiteforme 1.0 and classified as critical. Affected by this issue is the function rememberMeManager of the file src/main/java/com/mysiteforme/admin/config/ShiroConfig.java. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 6.3 | CVE-2024-13136 |
| wangl1989–mysiteforme |
A vulnerability was found in wangl1989 mysiteforme 1.0. It has been rated as critical. This issue affects the function doContent of the file src/main/java/com/mysiteform/admin/controller/system/FileController. The manipulation of the argument content leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 6.3 | CVE-2024-13139 |
| wangl1989–mysiteforme |
A vulnerability was found in wangl1989 mysiteforme 1.0. It has been declared as critical. This vulnerability affects the function upload of the file src/main/java/com/mysiteform/admin/service/ipl/LocalUploadServiceImpl. The manipulation of the argument test leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 4.7 | CVE-2024-13138 |
| Webdeclic–WPMasterToolKit |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Webdeclic WPMasterToolKit allows Path Traversal.This issue affects WPMasterToolKit: from n/a through 1.13.1. | 2025-01-02 | 4.9 | CVE-2024-56248 |
| websoudan–MW WP Form |
Missing Authorization vulnerability in websoudan MW WP Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MW WP Form: from n/a through 4.4.5. | 2025-01-02 | 5.3 | CVE-2023-46206 |
| WebToffee–WordPress Backup & Migration |
Missing Authorization vulnerability in WebToffee WordPress Backup & Migration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Backup & Migration: from n/a through 1.4.1. | 2025-01-02 | 5.4 | CVE-2023-45636 |
| weDevs–WP ERP |
Missing Authorization vulnerability in weDevs WP ERP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through 1.12.6. | 2025-01-02 | 4.3 | CVE-2023-45765 |
| wedevs–WP Project Manager Task, team, and project management plugin featuring kanban board and gantt charts |
The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to SQL Injection via the ‘project_id’ parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint in all versions up to, and including, 2.6.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, who have been granted access to a project, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-01-04 | 6.5 | CVE-2024-12195 |
| weDevs–WP User Frontend |
Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through 3.6.8. | 2025-01-02 | 4.3 | CVE-2023-45002 |
| WeyHan Ng–Post Teaser |
Missing Authorization vulnerability in WeyHan Ng Post Teaser.This issue affects Post Teaser: from n/a through 4.1.5. | 2025-01-02 | 5.4 | CVE-2022-45811 |
| Woo–WooCommerce Subscriptions |
Missing Authorization vulnerability in Woo WooCommerce Subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Subscriptions: from n/a before 5.8.0. | 2024-12-31 | 4.3 | CVE-2023-50850 |
| WowStore Team–ProductX Gutenberg WooCommerce Blocks |
Missing Authorization vulnerability in WowStore Team ProductX – Gutenberg WooCommerce Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProductX – Gutenberg WooCommerce Blocks: from n/a through 2.7.8. | 2025-01-02 | 4.3 | CVE-2023-45271 |
| WP CTA PRO–WordPress CTA |
Missing Authorization vulnerability in WP CTA PRO WordPress CTA allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through 1.5.8. | 2025-01-02 | 6.5 | CVE-2023-46644 |
| WP Hait–Post Grid Elementor Addon |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WP Hait Post Grid Elementor Addon allows Stored XSS.This issue affects Post Grid Elementor Addon: from n/a through 2.0.18. | 2025-01-02 | 6.5 | CVE-2024-56268 |
| WP iCal Availability–WP iCal Availability |
Missing Authorization vulnerability in WP iCal Availability WP iCal Availability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP iCal Availability: from n/a through 1.0.3. | 2025-01-02 | 5.4 | CVE-2023-46607 |
| WP Royal–Ashe Extra |
Missing Authorization vulnerability in WP Royal Ashe Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe Extra: from n/a through 1.2.9. | 2025-01-02 | 5.4 | CVE-2023-46079 |
| WP Royal–Ashe Extra |
Missing Authorization vulnerability in WP Royal Ashe Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe Extra: from n/a through 1.2.92. | 2025-01-02 | 5.4 | CVE-2024-56244 |
| WP Royal–Ashe |
Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Ashe allows Cross Site Request Forgery.This issue affects Ashe: from n/a through 2.233. | 2025-01-02 | 4.3 | CVE-2024-37478 |
| WP Royal–Bard |
Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Bard allows Cross Site Request Forgery.This issue affects Bard: from n/a through 2.210. | 2025-01-02 | 4.3 | CVE-2024-37490 |
| WP Royal–Royal Elementor Addons |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WP Royal Royal Elementor Addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through 1.3.987. | 2024-12-31 | 6.5 | CVE-2024-56062 |
| WP Royal–Royal Elementor Addons |
Missing Authorization vulnerability in WP Royal Royal Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royal Elementor Addons: from n/a through 1.7.1001. | 2024-12-31 | 4.3 | CVE-2024-56227 |
| WP Travel Engine–Travel Monster |
Cross-Site Request Forgery (CSRF) vulnerability in WP Travel Engine Travel Monster allows Cross Site Request Forgery.This issue affects Travel Monster: from n/a through 1.1.2. | 2025-01-02 | 4.3 | CVE-2024-37272 |
| wp-buy–Visitors Traffic Real Time Statistics |
Missing Authorization vulnerability in wp-buy Visitors Traffic Real Time Statistics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Visitors Traffic Real Time Statistics: from n/a through 7.2. | 2025-01-02 | 4.3 | CVE-2023-47557 |
| WP-CRM–WP-CRM System |
Missing Authorization vulnerability in WP-CRM WP-CRM System allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through 3.2.9.1. | 2024-12-31 | 6.5 | CVE-2024-55991 |
| WPBlockArt–Magazine Blocks |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPBlockArt Magazine Blocks allows Stored XSS.This issue affects Magazine Blocks: from n/a through 1.3.20. | 2025-01-02 | 6.5 | CVE-2024-56258 |
| wpdevart–Responsive Image Gallery, Gallery Album |
Missing Authorization vulnerability in wpdevart Responsive Image Gallery, Gallery Album allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. | 2025-01-02 | 4.3 | CVE-2023-45631 |
| WPDeveloper–Essential Addons for Elementor |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPDeveloper Essential Addons for Elementor allows Stored XSS.This issue affects Essential Addons for Elementor: from n/a through 6.0.7. | 2024-12-31 | 6.5 | CVE-2024-56063 |
| WPDO–DoLogin Security |
Missing Authorization vulnerability in WPDO DoLogin Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DoLogin Security: from n/a through 3.7.1. | 2025-01-02 | 5.3 | CVE-2023-46608 |
| wpexpertsio–WP Multi Store Locator |
The WP Multi Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-01-04 | 6.4 | CVE-2024-12475 |
| wpjobportal–WP Job Portal A Complete Recruitment System for Company or Job Board website |
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create jobs for companies that are unaffiliated with the attacker. | 2025-01-03 | 4.3 | CVE-2024-12132 |
| WPKoi–WPKoi Templates for Elementor |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPKoi WPKoi Templates for Elementor allows Stored XSS.This issue affects WPKoi Templates for Elementor: from n/a through 3.1.3. | 2025-01-02 | 6.5 | CVE-2024-56241 |
| wpweaver–Turnkey bbPress by WeaverTheme |
The Turnkey bbPress by WeaverTheme plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘_wpnonce’ parameter in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-01-04 | 6.1 | CVE-2024-12221 |
| XLPlugins–Finale Lite |
Missing Authorization vulnerability in XLPlugins Finale Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Finale Lite: from n/a through 2.16.0. | 2025-01-02 | 6.5 | CVE-2023-47180 |
| Xtemos–WoodMart |
Missing Authorization vulnerability in Xtemos WoodMart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WoodMart: from n/a through 7.2.1. | 2025-01-02 | 5.4 | CVE-2023-32240 |
| xylus–WP Smart Import : Import any XML File to WordPress |
The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-01-04 | 6.1 | CVE-2024-12701 |
| YITH–YITH WooCommerce Product Add-Ons |
Missing Authorization vulnerability in YITH YITH WooCommerce Product Add-Ons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.2.0. | 2025-01-02 | 5.3 | CVE-2023-46635 |
| yourownprogrammer–YOP Poll |
Authentication Bypass by Primary Weakness vulnerability in yourownprogrammer YOP Poll allows Authentication Bypass.This issue affects YOP Poll: from n/a through 6.5.28. | 2025-01-02 | 5.3 | CVE-2023-46611 |
| Yulio Aleman Jimenez–Smart Shopify Product |
Missing Authorization vulnerability in Yulio Aleman Jimenez Smart Shopify Product allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Shopify Product: from n/a through 1.0.2. | 2024-12-31 | 6.5 | CVE-2024-56031 |
| ZeroWdd–studentmanager |
A vulnerability, which was classified as critical, has been found in ZeroWdd studentmanager 1.0. This issue affects the function addStudent/editStudent of the file src/main/Java/com/wdd/studentmanager/controller/StudentController. java. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 6.3 | CVE-2024-13133 |
| ZeroWdd–studentmanager |
A vulnerability, which was classified as critical, was found in ZeroWdd studentmanager 1.0. Affected is the function addTeacher/editTeacher of the file src/main/Java/com/wdd/studentmanager/controller/TeacherController. java. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 6.3 | CVE-2024-13134 |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Antabot–White-Jotter |
A vulnerability classified as problematic has been found in Antabot White-Jotter up to 0.2.2. Affected is an unknown function of the file /admin/content/editor of the component Article Content Editor. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-12-30 | 2.4 | CVE-2024-13031 |
| Antabot–White-Jotter |
A vulnerability classified as problematic was found in Antabot White-Jotter up to 0.2.2. Affected by this vulnerability is an unknown functionality of the file /admin/content/editor of the component Article Editor. The manipulation of the argument articleCover leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-12-30 | 2.7 | CVE-2024-13032 |
| code-projects–Chat System |
A vulnerability, which was classified as problematic, has been found in code-projects Chat System 1.0. Affected by this issue is some unknown functionality of the file /admin/chatroom.php. The manipulation of the argument id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2024-12-30 | 3.5 | CVE-2024-13033 |
| code-projects–Chat System |
A vulnerability, which was classified as problematic, was found in code-projects Chat System 1.0. This affects an unknown part of the file /admin/update_user.php. The manipulation of the argument name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-12-30 | 3.5 | CVE-2024-13034 |
| code-projects–Local Storage Todo App |
A vulnerability has been found in code-projects Local Storage Todo App 1.0 and classified as problematic. This vulnerability affects unknown code of the file /js-todo-app/index.html. The manipulation of the argument Add leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 2.4 | CVE-2025-0228 |
| code-projects–Online Shop |
A vulnerability was found in code-projects Online Shop 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /view.php. The manipulation of the argument name/details leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-03 | 3.5 | CVE-2025-0175 |
| gocd–gocd |
GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration “post-backup script” feature to potentially execute arbitrary scripts on the hosting server or container as GoCD’s user, rather than pre-configured scripts. In practice the impact of this vulnerability is limited, as in most configurations a user who can log into the GoCD UI as an admin also has host administration permissions for the host/container that GoCD runs on, in order to manage artifact storage and other service-level configuration options. Additionally, since a GoCD admin has ability to configure and schedule pipelines tasks on all GoCD agents available to the server, the fundamental functionality of GoCD allows co-ordinated task execution similar to that of post-backup-scripts. However in restricted environments where the host administration is separated from the role of a GoCD admin, this may be unexpected. The issue is fixed in GoCD 24.5.0. Post-backup scripts can no longer be executed from within certain sensitive locations on the GoCD server. No known workarounds are available. | 2025-01-03 | 3.8 | CVE-2024-56321 |
| n/a–Emlog Pro |
A vulnerability classified as problematic was found in Emlog Pro up to 2.4.3. This vulnerability affects unknown code of the file /admin/article.php of the component Subpage Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 3.5 | CVE-2024-13132 |
| n/a–Emlog Pro |
A vulnerability has been found in Emlog Pro 2.4.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/twitter.php of the component Subpage Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 3.5 | CVE-2024-13135 |
| n/a–Emlog Pro |
A vulnerability classified as problematic has been found in Emlog Pro up to 2.4.3. Affected is an unknown function of the file /admin/article.php?action=upload_cover of the component Cover Upload Handler. The manipulation of the argument image leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 3.5 | CVE-2024-13140 |
| osuuu–LightPicture |
A vulnerability classified as problematic was found in osuuu LightPicture up to 1.2.2. This vulnerability affects unknown code of the file /api/upload of the component SVG File Upload Handler. The manipulation of the argument file leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 3.5 | CVE-2024-13141 |
| PHPGurukul–Land Record System |
A vulnerability classified as problematic has been found in PHPGurukul Land Record System 1.0. This affects an unknown part of the file /index.php. The manipulation of the argument searchdata leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 3.5 | CVE-2024-13074 |
| PHPGurukul–Land Record System |
A vulnerability classified as problematic was found in PHPGurukul Land Record System 1.0. This vulnerability affects unknown code of the file /admin/add-propertytype.php. The manipulation of the argument Land Property Type leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 3.5 | CVE-2024-13075 |
| PHPGurukul–Land Record System |
A vulnerability, which was classified as problematic, has been found in PHPGurukul Land Record System 1.0. This issue affects some unknown processing of the file /admin/edit-propertytype.php. The manipulation of the argument Property Type leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 3.5 | CVE-2024-13076 |
| PHPGurukul–Land Record System |
A vulnerability, which was classified as problematic, was found in PHPGurukul Land Record System 1.0. Affected is an unknown function of the file /admin/add-property.php. The manipulation of the argument Land Subtype leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 3.5 | CVE-2024-13077 |
| PHPGurukul–Land Record System |
A vulnerability was found in PHPGurukul Land Record System 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/aboutus.php. The manipulation of the argument Page Description leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 3.5 | CVE-2024-13080 |
| PHPGurukul–Land Record System |
A vulnerability was found in PHPGurukul Land Record System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/contactus.php. The manipulation of the argument Page Description leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 3.5 | CVE-2024-13081 |
| PHPGurukul–Land Record System |
A vulnerability was found in PHPGurukul Land Record System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /admin/search-property.php. The manipulation of the argument Search By leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 3.5 | CVE-2024-13082 |
| PHPGurukul–Land Record System |
A vulnerability classified as problematic has been found in PHPGurukul Land Record System 1.0. Affected is an unknown function of the file /admin/admin-profile.php. The manipulation of the argument Admin Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 3.5 | CVE-2024-13083 |
| SourceCodester–Multi Role Login System |
A vulnerability was found in SourceCodester Multi Role Login System 1.0. It has been classified as problematic. Affected is an unknown function of the file /endpoint/add-user.php. The manipulation of the argument name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2024-12-31 | 3.5 | CVE-2024-13069 |
| Trimble–SPS851 |
A vulnerability, which was classified as problematic, has been found in Trimble SPS851 488.01. Affected by this issue is some unknown functionality of the component Receiver Status Identity Tab. The manipulation of the argument System Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-01-05 | 2.4 | CVE-2025-0219 |
| Trimble–SPS851 |
A vulnerability, which was classified as problematic, was found in Trimble SPS851 488.01. This affects an unknown part of the component Ethernet Configuration Menu. The manipulation of the argument Hostname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-01-05 | 2.4 | CVE-2025-0220 |
| wangl1989–mysiteforme |
A vulnerability was found in wangl1989 mysiteforme 1.0. It has been classified as problematic. This affects the function RestResponse of the file src/main/java/com/mysiteforme/admin/controller/system/SiteController. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-01-05 | 2.4 | CVE-2024-13137 |
| ZeroWdd–studentmanager |
A vulnerability was found in ZeroWdd studentmanager 1.0. It has been declared as problematic. This vulnerability affects the function submitAddRole of the file src/main/java/com/zero/system/controller/RoleController. java. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. | 2025-01-05 | 2.4 | CVE-2024-13142 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Acronis–Acronis Cyber Protect 16 |
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169. | 2025-01-02 | not yet calculated | CVE-2024-55540 |
| Acronis–Acronis Cyber Protect 16 |
Stored cross-site scripting (XSS) vulnerability due to missing origin validation in postMessage. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39169. | 2025-01-02 | not yet calculated | CVE-2024-55541 |
| Acronis–Acronis Cyber Protect 16 |
Local privilege escalation due to excessive permissions assigned to Tray Monitor service. The following products are affected: Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39169, Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 35895. | 2025-01-02 | not yet calculated | CVE-2024-55542 |
| Acronis–Acronis Cyber Protect 16 |
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169. | 2025-01-02 | not yet calculated | CVE-2024-55543 |
| Acronis–Acronis Cyber Protect 16 |
Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169. | 2025-01-02 | not yet calculated | CVE-2024-56413 |
| Acronis–Acronis Cyber Protect 16 |
Web installer integrity check used weak hash algorithm. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169. | 2025-01-02 | not yet calculated | CVE-2024-56414 |
| Acronis–Acronis True Image |
Sensitive information disclosure due to insecure folder permissions. The following products are affected: Acronis True Image (Windows) before build 41736. | 2025-01-02 | not yet calculated | CVE-2024-49385 |
| Acronis–Acronis True Image |
Sensitive information disclosure due to missing authentication. The following products are affected: Acronis True Image (macOS) before build 41725, Acronis True Image (Windows) before build 41736. | 2025-01-02 | not yet calculated | CVE-2024-55538 |
| AnyDesk–AnyDesk |
AnyDesk Link Following Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of AnyDesk. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of background images. By creating a junction, an attacker can abuse the service to read arbitrary files. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-23940. | 2024-12-30 | not yet calculated | CVE-2024-12754 |
| better-auth–better-auth |
Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An attacker can manipulate this parameter to redirect users to arbitrary URLs controlled by the attacker. Version 1.1.6 contains a patch for the issue. | 2024-12-30 | not yet calculated | CVE-2024-56734 |
| cabraviva–path-sanitizer |
path-sanitizer is a simple lightweight npm package for sanitizing paths to prevent Path Traversal. Prior to 3.1.0, the filters can be bypassed using .=%5c which results in a path traversal. This vulnerability is fixed in 3.1.0. | 2024-12-31 | not yet calculated | CVE-2024-56198 |
| CTFd–CTFd |
While assignment of a user to a team (bracket) in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it’s bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releases from 3.7.0 up to 3.7.4 and was addressed by pull request 2636 https://github.com/CTFd/CTFd/pull/2636 included in 3.7.5 release. | 2025-01-02 | not yet calculated | CVE-2024-11716 |
| CTFd–CTFd |
Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to change user’s password and take over the account. Moreover, the tokens also include base64 encoded user email. This issue impacts releases up to 3.7.4 and was addressed by pull request 2679 https://github.com/CTFd/CTFd/pull/2679 included in 3.7.5 release. | 2025-01-02 | not yet calculated | CVE-2024-11717 |
| Delta Electronics–DRASimuCAD |
Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of STP files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22414. | 2024-12-30 | not yet calculated | CVE-2024-12834 |
| Delta Electronics–DRASimuCAD |
Delta Electronics DRASimuCAD ICS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICS files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22415. | 2024-12-30 | not yet calculated | CVE-2024-12835 |
| Delta Electronics–DRASimuCAD |
Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of STP files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22450. | 2024-12-30 | not yet calculated | CVE-2024-12836 |
| Forescout–SecureConnector |
A vulnerability in Forescout SecureConnector v11.3.07.0109 on Windows allows unauthenticated user to modify compliance scripts due to insecure temporary directory. | 2025-01-02 | not yet calculated | CVE-2024-9950 |
| Foxit–PDF Reader |
Foxit PDF Reader AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of AcroForms. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25344. | 2024-12-30 | not yet calculated | CVE-2024-12751 |
| Foxit–PDF Reader |
Foxit PDF Reader AcroForm Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of AcroForms. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25345. | 2024-12-30 | not yet calculated | CVE-2024-12752 |
| Foxit–PDF Reader |
Foxit PDF Reader Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PDF Reader. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the product installer. By creating a junction, an attacker can abuse the installer process to create an arbitrary file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-25408. | 2024-12-30 | not yet calculated | CVE-2024-12753 |
| ghostty-org–ghostty |
Ghostty is a cross-platform terminal emulator. Ghostty, as allowed by default in 1.0.0, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user’s terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. This attack requires an attacker to send malicious escape sequences followed by convincing the user to physically press the “enter” key. Fixed in Ghostty v1.0.1. | 2024-12-31 | not yet calculated | CVE-2024-56803 |
| gocd–gocd |
GoCD is a continuous deliver server. GoCD versions prior to 24.5.0 are vulnerable to admin privilege escalation due to improper authorization of access to the admin “Configuration XML” UI feature, and its associated API. A malicious insider/existing authenticated GoCD user with an existing GoCD user account could abuse this vulnerability to access information intended only for GoCD admins, or to escalate their privileges to that of a GoCD admin in a persistent manner. it is not possible for this vulnerability to be abused prior to authentication/login. The issue is fixed in GoCD 24.5.0. GoCD users who are not able to immediate upgrade can mitigate this issue by using a reverse proxy, WAF or similar to externally block access paths with a `/go/rails/` prefix. Blocking this route causes no loss of functionality. If it is not possible to upgrade or block the above route, consider reducing the GoCD user base to more trusted set of users, including temporarily disabling use of plugins such as the guest-login-plugin, which allow limited anonymous access as a regular user account. | 2025-01-03 | not yet calculated | CVE-2024-56320 |
| gocd–gocd |
GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scans configuration repositories for pipeline updates, or is triggered by an administrator or config repo admin. In practice the impact of this vulnerability is limited, in most cases without combining with another vulnerability, as only GoCD (super) admins have the ability to abuse this vulnerability. Typically a malicious GoCD admin can cause much larger damage than that they can do with XXE injection. The issue is fixed in GoCD 24.5.0. As a workaround, prevent external access from the GoCD server to arbitrary locations using some kind of environment egress control. | 2025-01-03 | not yet calculated | CVE-2024-56322 |
| gocd–gocd |
GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD “group admins” to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additional attacks such as SSRF, information disclosure from the GoCD server, and directory traversal, although these additional attacks have not been explicitly demonstrated as exploitable. This issue is fixed in GoCD 24.5.0. Some workarounds are available. One may temporarily block access to `/go/*/pipelines/snippet` routes from an external reverse proxy or WAF if one’s “group admin” users do not need the functionality to edit the XML of pipelines directly (rather than using the UI, or using a configuration repository). One may also prevent external access from one’s GoCD server to arbitrary locations using some kind of environment egress control. | 2025-01-03 | not yet calculated | CVE-2024-56324 |
| Google–Android |
In prepare_response_locked of lwis_transaction.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-01-03 | not yet calculated | CVE-2024-53833 |
| Infinix Mobile–com.rlk.weathers |
Infinix devices contain a pre-loaded “com.rlk.weathers” application, that exposes an unsecured content provider. An attacker can communicate with the provider and reveal the user’s location without any privileges. After multiple attempts to contact the vendor we did not receive any answer. We suppose this issue affects all Infinix Mobile devices. | 2024-12-30 | not yet calculated | CVE-2024-12993 |
| InfotelGLPI–tasklists |
Tasklists provides plugin tasklists for GLPI. Versions prior to 2.0.4 have a blind SQL injection vulnerability. Version 2.0.4 contains a patch for the vulnerability. | 2024-12-30 | not yet calculated | CVE-2024-56801 |
| iXsystems–TrueNAS CORE |
iXsystems TrueNAS CORE tarfile.extractall Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of iXsystems TrueNAS devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the tarfile.extractall method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-25626. | 2024-12-30 | not yet calculated | CVE-2024-11944 |
| iXsystems–TrueNAS CORE |
iXsystems TrueNAS CORE fetch_plugin_packagesites tar Cleartext Transmission of Sensitive Information Vulnerability. This vulnerability allows network-adjacent attackers to tamper with firmware update files on affected installations of iXsystems TrueNAS devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of firmware updates. The issue results from the use of an insecure protocol to deliver updates. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-25668. | 2024-12-30 | not yet calculated | CVE-2024-11946 |
| karmada-io–karmada |
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. As a workaround, one may restrict the access permissions of pull mode member clusters to control plane resources according to Karmada Component Permissions Docs. | 2025-01-03 | not yet calculated | CVE-2024-56513 |
| karmada-io–karmada |
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by Karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a Karmada initialization could write arbitrary files in arbitrary paths of the filesystem. From Karmada version 1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. A workaround is available. Someone who needs to set flag `–crd` to customize the CRD files required for Karmada initialization when using `karmadactl init` to set up Karmada can manually inspect the CRD files to check whether they contain sequences such as `../` that would alter file paths, to determine if they potentially include malicious files. When using karmada-operator to set up Karmada, one must upgrade one’s karmada-operator to one of the fixed versions. | 2025-01-03 | not yet calculated | CVE-2024-56514 |
| Kentico–Kentico CMS |
Kentico CMS in version 7 is vulnerable to a Reflected XSS attacks through manipulation of a specific GET request parameter sent to /CMSMessages/AccessDenied.aspx endpoint. Notably, support for this version of Kentico ended in 2016. Version 8 was tested as well and does not contain this vulnerability. | 2025-01-02 | not yet calculated | CVE-2024-12907 |
| Linux–Linux |
In the Linux kernel, the following vulnerability has been resolved: media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE I expect that the hardware will have limited this to 16, but just in case it hasn’t, check for this corner case. | 2025-01-02 | not yet calculated | CVE-2022-49035 |
| lm-sys–lm-sys/fastchat |
A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This vulnerability allows attackers to exploit the victim controller API server’s credentials to perform unauthorized web actions or access unauthorized web resources by combining it with the POST /register_worker endpoint. | 2024-12-30 | not yet calculated | CVE-2024-10044 |
| n/a–n/a |
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity input validation issue exists in the Commerce B2B application, affecting the Contact Us functionality. This allows visitors to send e-mail messages that could contain unfiltered HTML markup in specific scenarios. | 2025-01-04 | not yet calculated | CVE-2025-22383 |
| n/a–n/a |
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue concerning business logic exists in the Commerce B2B application, which allows storefront visitors to purchase discontinued products in specific scenarios where requests are altered before reaching the server. | 2025-01-04 | not yet calculated | CVE-2025-22384 |
| n/a–n/a |
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested storefront accounts can be created on behalf of visitors. | 2025-01-04 | not yet calculated | CVE-2025-22385 |
| n/a–n/a |
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity session issue exists in the Commerce B2B application, affecting the longevity of active sessions in the storefront. This allows session tokens tied to logged-out sessions to still be active and usable. | 2025-01-04 | not yet calculated | CVE-2025-22386 |
| n/a–n/a |
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity issue exists in requests for resources where the session token is submitted as a URL parameter. This exposes information about the authenticated session, which can be leveraged for session hijacking. | 2025-01-04 | not yet calculated | CVE-2025-22387 |
| n/a–n/a |
An issue was discovered in Optimizely EPiServer.CMS.Core before 12.22.0. A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the CMS, allowing malicious actors to inject and execute arbitrary JavaScript code, potentially compromising user data, escalating privileges, or executing unauthorized actions. The issue exists in multiple areas, including content editing, link management, and file uploads. | 2025-01-04 | not yet calculated | CVE-2025-22388 |
| n/a–n/a |
An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of potentially malicious file types, including .docm .html. When accessed by application users, these files can be used to execute malicious actions or compromise users’ systems. | 2025-01-04 | not yet calculated | CVE-2025-22389 |
| n/a–n/a |
An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS due to insufficient enforcement of password complexity requirements. The application permits users to set passwords with a minimum length of 6 characters, lacking adequate complexity to resist modern attack techniques such as password spraying or offline password cracking. | 2025-01-04 | not yet calculated | CVE-2025-22390 |
| PacoVK–tapir |
Tapir is a private Terraform registry. Tapir versions 0.9.0 and 0.9.1 are facing a critical issue with scope-able Deploykeys where attackers can guess the key to get write access to the registry. User must upgrade to 0.9.2. | 2024-12-31 | not yet calculated | CVE-2024-56802 |
| PHPOffice–PhpSpreadsheet |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | 2025-01-03 | not yet calculated | CVE-2024-56365 |
| PHPOffice–PhpSpreadsheet |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | 2025-01-03 | not yet calculated | CVE-2024-56366 |
| PHPOffice–PhpSpreadsheet |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | 2025-01-03 | not yet calculated | CVE-2024-56408 |
| PHPOffice–PhpSpreadsheet |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script, an attacker can perform a cross-site scripting attack. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | 2025-01-03 | not yet calculated | CVE-2024-56409 |
| PHPOffice–PhpSpreadsheet |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | 2025-01-03 | not yet calculated | CVE-2024-56410 |
| PHPOffice–PhpSpreadsheet |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | 2025-01-03 | not yet calculated | CVE-2024-56411 |
| PHPOffice–PhpSpreadsheet |
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the library processes the javascript protocol with special characters and generates an HTML link. Versions 3.7.0, 2.3.5, 2.1.6, and 1.29.7 contain a patch for the issue. | 2025-01-03 | not yet calculated | CVE-2024-56412 |
| RockChinQ–free-one-api |
free-one-api allows users to access large language model reverse engineering libraries through the standard OpenAI API format. In versions up to and including 1.0.1, MD5 is used to hash passwords before sending them to the backend. MD5 is a cryptographically broken hashing algorithm and is no longer considered secure for password storage or transmission. It is vulnerable to collision attacks and can be easily cracked using modern hardware, exposing user credentials to potential compromise. As of time of publication, a replacement for MD5 has not been committed to the free-one-api GitHub repository. | 2024-12-30 | not yet calculated | CVE-2024-56516 |
| siyuan-note–siyuan |
SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19. | 2025-01-03 | not yet calculated | CVE-2025-21609 |
| SoftIron–HyperCloud |
An issue exists in SoftIron HyperCloud where authenticated, but non-admin users can create data pools, which could potentially impact the performance and availability of the backend software-defined storage subsystem. This issue only impacts SoftIron HyperCloud and related software products (such as VM Squared) software versions 2.3.0 to before 2.5.0. | 2024-12-30 | not yet calculated | CVE-2024-13058 |
| tltneon–lgsl |
LGSL (Live Game Server List) provides online status lists for online video games. Versions up to and including 6.2.1 contain a reflected cross-site scripting vulnerability in the `Referer` HTTP header. The vulnerability allows attackers to inject arbitrary JavaScript code, which is reflected in the HTML response without proper sanitization. When crafted malicious input is provided in the `Referer` header, it is echoed back into an HTML attribute in the application’s response. Commit 7ecb839df9358d21f64cdbff5b2536af25a77de1 contains a patch for the issue. | 2024-12-30 | not yet calculated | CVE-2024-56517 |
| Unknown–AHAthat Plugin |
The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER[‘REQUEST_URI’] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | 2025-01-02 | not yet calculated | CVE-2024-12595 |
| Unknown–goodlayers-core |
The goodlayers-core WordPress plugin before 2.0.10 does not sanitise and escape some of its settings, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2025-01-02 | not yet calculated | CVE-2024-11357 |
| Unknown–wp-enable-svg |
The wp-enable-svg WordPress plugin through 0.7 does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts | 2025-01-02 | not yet calculated | CVE-2024-11184 |
| Webmin–Webmin |
Webmin CGI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Webmin. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of CGI requests. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22346. | 2024-12-30 | not yet calculated | CVE-2024-12828 |