Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-54214
WordPress Revy plugin <= 1.18 - Unauthenticated Arbitrary File Upload vulnerability
Description: Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Revy allows Upload a Web Shell to a Web Server.This issue affects Revy: from n/a through 1.18.

CVSS: CRITICAL (10.0)

EPSS Score: 0.04%

Source: CVE
December 7th, 2024 (4 months ago)

CVE-2024-53810
WordPress Simple User Registration plugin <= 5.5 - Broken Access Control on User Deletion vulnerability
Description: Missing Authorization vulnerability in Najeeb Ahmad Simple User Registration allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Simple User Registration: from n/a through 5.5.

CVSS: CRITICAL (9.1)

EPSS Score: 0.04%

Source: CVE
December 7th, 2024 (4 months ago)

CVE-2024-51815
WordPress s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin <= 241114 - R...
Description: Improper Control of Generation of Code ('Code Injection') vulnerability in WP Sharks s2Member Pro allows Code Injection.This issue affects s2Member Pro: from n/a through 241114.

CVSS: CRITICAL (9.0)

EPSS Score: 0.04%

Source: CVE
December 7th, 2024 (4 months ago)

CVE-2024-51615
WordPress WordPress Auction Plugin plugin <= 3.7 - SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Owen Cutajar & Hyder Jaffari WordPress Auction Plugin allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through 3.7.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
December 7th, 2024 (4 months ago)

CVE-2024-12155
SV100 Companion <= 2.0.02 - Missing Authorization to Unuathenticated Arbitrary Options Update
Description: The SV100 Companion plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the settings_import() function in all versions up to, and including, 2.0.02. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE
December 7th, 2024 (4 months ago)

CVE-2024-54221
WordPress FAT Services Booking plugin <= 5.6 - Unauthenticated SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Roninwp FAT Services Booking.This issue affects FAT Services Booking: from n/a through 5.6.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2023-3249
The Web3 – Crypto wallet Login & NFT token gating plugin for WordPress is vulnerable to authentication bypass in versions up to, and including,...
Description: The Web3 – Crypto wallet Login & NFT token gating plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.6.0. This is due to incorrect authentication checking in the 'hidden_form_data' function. This makes it possible for authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
December 4th, 2024 (5 months ago)

CVE-2023-2278
The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9 via the 'wdk_public_action'...
Description: The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9 via the 'wdk_public_action' function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CVSS: CRITICAL (9.8)

EPSS Score: 0.34%

Source: CVE
December 4th, 2024 (5 months ago)

CVE-2024-52476
WordPress Fediverse Embeds plugin <= 1.5.3 - Arbitrary File Upload vulnerability
Description: Unrestricted Upload of File with Dangerous Type vulnerability in stefanbohacek Fediverse Embeds allows Upload a Web Shell to a Web Server.This issue affects Fediverse Embeds: from n/a through 1.5.3.

CVSS: CRITICAL (10.0)

EPSS Score: 0.04%

Source: CVE
December 3rd, 2024 (5 months ago)

CVE-2024-11925
WP JobSearch <= 2.6.7 - Authentication Bypass to Account Takeover and Privilege Escalation
Description: The JobSearch WP Job Board plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.6.7. This is due to the plugin not properly verifying a users identity when verifying an email address through the user_account_activation function. This makes it possible for unauthenticated attackers to log in as any user, including site administrators if the users email is known.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
November 29th, 2024 (5 months ago)