CyberAlerts

CVE-2024-10111

OAuth Single Sign On – SSO (OAuth Client) <= 6.26.3 - Authentication Bypass

Description: The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.

CVSS: HIGH (8.1)

EPSS Score: 0.09%

Source: CVE

December 13th, 2024 (4 months ago)

CVE-2024-11840

RapidLoad – Optimize Web Vitals Automatically <= 2.4.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL ...

Description: The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucss_data, update_rapidload_settings, wp_ajax_update_htaccess_file, uucss_update_rule, upload_rules, get_all_rules, update_titan_settings, preload_page, and activate_module functions in all versions up to, and including, 2.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or conduct SQL injection attacks.

CVSS: HIGH (7.1)

EPSS Score: 0.05%

Source: CVE

December 12th, 2024 (4 months ago)

CVE-2024-11205

WPForms 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation

Description: The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.

CVSS: HIGH (8.5)

EPSS Score: 0.07%

Source: CVE

December 11th, 2024 (4 months ago)

CVE-2024-10959

Active Products Tables for WooCommerce. Use constructor to create tables <= 1.0.6.5 - Unauthenticated Arbitrary Shortcode Execution via woot_get_smth

Description: The The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to arbitrary shortcode execution via woot_get_smth AJAX action in all versions up to, and including, 1.0.6.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CVSS: HIGH (7.3)

EPSS Score: 0.05%

Source: CVE

December 11th, 2024 (4 months ago)

CVE-2023-6947

Best WordPress Gallery Plugin – FooGallery <= 2.4.16 - Authenticated (Contributor+) Directory Traversal

Description: The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.26. This makes it possible for authenticated attackers, with contributor level or higher to read the contents of arbitrary folders on the server, which can contain sensitive information such as folder structure.

CVSS: HIGH (7.7)

EPSS Score: 0.05%

Source: CVE

December 11th, 2024 (4 months ago)

CVE-2023-49831

WordPress RegistrationMagic plugin <= 5.2.3.0 - Broken Access Control vulnerability

Description: Missing Authorization vulnerability in Metagauss User Registration Forms RegistrationMagic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RegistrationMagic: from n/a through 5.2.3.0.

CVSS: HIGH (7.5)

EPSS Score: 0.04%

Source: CVE

December 11th, 2024 (4 months ago)

CVE-2023-48286

WordPress Accept Stripe Payments plugin <= 2.0.79 - Broken Access Control vulnerability

Description: Missing Authorization vulnerability in Tips and Tricks HQ, wptipsntricks Stripe Payments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stripe Payments: from n/a through 2.0.79.

CVSS: HIGH (8.2)

EPSS Score: 0.04%

Source: CVE

December 11th, 2024 (4 months ago)

CVE-2024-54226

WordPress Country Blocker plugin <= 3.2 - CSRF to Stored XSS vulnerability

Description: Cross-Site Request Forgery (CSRF) vulnerability in Karl Kiesinger Country Blocker allows Stored XSS.This issue affects Country Blocker: from n/a through 3.2.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE

December 10th, 2024 (4 months ago)

CVE-2024-54225

WordPress Designer plugin <= 1.3.3 - Local File Inclusion vulnerability

Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodegearThemes Designer allows PHP Local File Inclusion.This issue affects Designer: from n/a through 1.3.3.

CVSS: HIGH (7.5)

EPSS Score: 0.04%

Source: CVE

December 10th, 2024 (4 months ago)

CVE-2024-54220

WordPress FAT Services Booking plugin <= 5.6 - Subscriber+ Site-Wide Cross Site Scripting (XSS) vulnerability

Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Roninwp FAT Services Booking allows Stored XSS.This issue affects FAT Services Booking: from n/a through 5.6.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE

December 10th, 2024 (4 months ago)

Threat and Vulnerability Intelligence Database

Example Searches: