Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-38656
Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote...
Description: Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.

CVSS: CRITICAL (9.1)

EPSS Score: 0.04%

Source: CVE
December 2nd, 2024 (5 months ago)

CVE-2024-11925
WP JobSearch <= 2.6.7 - Authentication Bypass to Account Takeover and Privilege Escalation
Description: The JobSearch WP Job Board plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.6.7. This is due to the plugin not properly verifying a users identity when verifying an email address through the user_account_activation function. This makes it possible for unauthenticated attackers to log in as any user, including site administrators if the users email is known.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
November 29th, 2024 (5 months ago)

CVE-2024-11082
Tumult Hype Animations <= 1.9.15 - Authenticated (Author+) Arbitrary File Upload via hypeanimations_panel Function
Description: The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the hypeanimations_panel() function in all versions up to, and including, 1.9.15. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: CRITICAL (9.9)

EPSS Score: 0.05%

Source: CVE
November 29th, 2024 (5 months ago)

CVE-2024-8672
Widget Options – The #1 WordPress Widget & Block Control Plugin <= 4.0.7 - Authenticated (Contributor+) Remote Code Execution
Description: The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. This is due to the plugin allowing users to supply input that will be passed through eval() without any filtering or capability checks. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. Special note: We suggested the vendor implement an allowlist of functions and limit the ability to execute commands to just administrators, however, they did not take our advice. We are considering this patched, however, we believe it could still be further hardened and there may be residual risk with how the issue is currently patched.

CVSS: CRITICAL (9.9)

EPSS Score: 0.05%

Source: CVE
November 29th, 2024 (5 months ago)

CVE-2024-52490
WordPress Pathomation plugin <= 2.5.1 - Arbitrary File Upload vulnerability
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Pathomation allows Upload a Web Shell to a Web Server.This issue affects Pathomation: from n/a through 2.5.1.

CVSS: CRITICAL (10.0)

EPSS Score: 0.04%

Source: CVE
November 29th, 2024 (5 months ago)

CVE-2024-52475
WordPress Wawp plugin < 3.0.18 - Account Takeover vulnerability
Description: Authentication Bypass Using an Alternate Path or Channel vulnerability in Automation Web Platform Wawp allows Authentication Bypass.This issue affects Wawp: from n/a before 3.0.18.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
November 29th, 2024 (5 months ago)

CVE-2024-52474
WordPress Express Payments plugin <= 1.1.8 - SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LLC «TriIncom» Express Payments Module allows Blind SQL Injection.This issue affects Express Payments Module: from n/a through 1.1.8.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
November 29th, 2024 (5 months ago)

CVE-2024-11103
Contest Gallery <= 24.0.7 - Unauthenticated Arbitrary Password Reset to Privilege Escalation/Account Takeover
Description: The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
November 29th, 2024 (5 months ago)

CVE-2024-8932
OOB access in ldap_escape
Description: In PHP versions 8.1.* before 8.1.31, 8.2.* before 8.2.26, 8.3.* before 8.3.14, uncontrolled long string inputs to ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-53676
Description: A directory traversal vulnerability in Hewlett Packard Enterprise Insight Remote Support may allow remote code execution.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE
November 28th, 2024 (5 months ago)