Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-51700
WordPress NAVER Analytics plugin <= 0.9 - CSRF to Stored XSS vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 김 민준 (Minjun Kim) NAVER Analytics allows Stored XSS.This issue affects NAVER Analytics: from n/a through 0.9.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
January 8th, 2025 (3 months ago)

CVE-2024-49644
WordPress Accessibility by AllAccessible plugin <= 1.3.4 - Privilege Escalation vulnerability
Description: Incorrect Privilege Assignment vulnerability in AllAccessible Team Accessibility by AllAccessible allows Privilege Escalation.This issue affects Accessibility by AllAccessible: from n/a through 1.3.4.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
January 8th, 2025 (3 months ago)

CVE-2024-49633
WordPress DirectoryPress plugin <= 3.6.19 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Designinvento DirectoryPress allows Reflected XSS.This issue affects DirectoryPress: from n/a through 3.6.19.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
January 8th, 2025 (3 months ago)

CVE-2024-49249
WordPress SMSA Shipping plugin <= 2.3 - Arbitrary File Deletion vulnerability
Description: Path Traversal vulnerability in SMSA Express SMSA Shipping allows Path Traversal.This issue affects SMSA Shipping: from n/a through 2.3.

CVSS: HIGH (8.6)

EPSS Score: 0.04%

Source: CVE
January 8th, 2025 (3 months ago)

CVE-2024-12849
Error Log Viewer By WP Guru <= 1.0.1.3 - Missing Authorization to Unauthenticated Arbitrary File Read
Description: The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

CVSS: HIGH (7.5)

EPSS Score: 0.53%

Source: CVE
January 8th, 2025 (3 months ago)

CVE-2024-12633
JoomSport <= 5.6.17 - Reflected Cross-Site Scripting via page
Description: The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page parameter in all versions up to, and including, 5.6.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: HIGH (7.1)

EPSS Score: 0.05%

Source: CVE
January 8th, 2025 (3 months ago)

CVE-2024-12535
Host PHP Info <= 1.0.4 - Missing Authorization to Unauthenticated Sensitive Information Disclosure
Description: The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to read configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited.

CVSS: HIGH (8.6)

EPSS Score: 0.09%

Source: CVE
January 8th, 2025 (3 months ago)

CVE-2024-12471
Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator <= 1.3.1 - Missing Authorization to Authenticated (Sub...
Description: The Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator plugin for WordPress is vulnerable to arbitrary files uploads due to a missing capability check and file type validation on the add_image_to_library AJAX action function in all versions up to, and including, 1.3.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files that make remote code execution possible.

CVSS: HIGH (8.8)

EPSS Score: 0.05%

Source: CVE
January 8th, 2025 (3 months ago)

CVE-2024-12416
Woomotiv <= 3.6.1 - Unauthenticated SQL Injection
Description: The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to SQL Injection via the 'woomotiv_seen_products_.*' cookie in all versions up to, and including, 3.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: HIGH (7.5)

EPSS Score: 0.06%

Source: CVE
January 8th, 2025 (3 months ago)

CVE-2024-12322
ThePerfectWedding.nl Widget <= 2.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Description: The ThePerfectWedding.nl Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8. This is due to missing or incorrect nonce validation on the 'update_option' function. This makes it possible for unauthenticated attackers to update the 'tpwKey' option with stored cross-site scripting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: HIGH (8.8)

EPSS Score: 0.05%

Source: CVE
January 8th, 2025 (3 months ago)