Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-11728
KiviCare – Clinic & Patient Management System (EHR) <= 3.6.4 - Unauthenticated SQL Injection
Description: The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'visit_type[service_id]' parameter of the tax_calculated_data AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: HIGH (7.5)

EPSS Score: 0.89%

Source: CVE
December 7th, 2024 (5 months ago)

CVE-2024-11585
WP Hide & Security Enhancer <= 2.5.1 - Missing Authorization to Unauthenticated Arbitrary File Contents Deletion
Description: The WP Hide & Security Enhancer plugin for WordPress is vulnerable to arbitrary file contents deletion due to a missing authorization and insufficient file path validation in the file-process.php in all versions up to, and including, 2.5.1. This makes it possible for unauthenticated attackers to delete the contents of arbitrary files on the server, which can break the site or lead to data loss.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE
December 7th, 2024 (5 months ago)

CVE-2024-11460
Verowa Connect <= 3.0.1 - Unauthenticated SQL Injection
Description: The Verowa Connect plugin for WordPress is vulnerable to SQL Injection via the 'search_string' parameter in all versions up to, and including, 3.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: HIGH (7.5)

EPSS Score: 0.06%

Source: CVE
December 7th, 2024 (5 months ago)

CVE-2024-11323
AI Quiz | Quiz Maker <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Description: The AI Quiz | Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ai_quiz_update_style() function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CVSS: HIGH (8.8)

EPSS Score: 0.05%

Source: CVE
December 7th, 2024 (5 months ago)

CVE-2024-11289
Soledad <= 8.5.9 - Unauthenticated Limited Local File Inclusion
Description: The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.5.9 via several functions like penci_archive_more_post_ajax_func, penci_more_post_ajax_func, and penci_more_featured_post_ajax_func. This makes it possible for unauthenticated attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included. The exploitability of this is limited to Windows.

CVSS: HIGH (8.1)

EPSS Score: 0.09%

Source: CVE
December 7th, 2024 (5 months ago)

CVE-2024-11220
Open Automation Software Incorrect Execution-Assigned Permissions
Description: A local low-level user on the server machine with credentials to the running OAS services can create and execute a report with an rdlx file on the server system itself. Any code within the rdlx file of the report executes with SYSTEM privileges, resulting in privilege escalation.

CVSS: HIGH (7.8)

EPSS Score: 0.04%

Source: CVE
December 7th, 2024 (5 months ago)

CVE-2024-11178
Login With OTP <= 1.4.2 - Authentication Bypass via Weak OTP
Description: The Login With OTP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.4.2. This is due to the plugin generating too weak OTP, and there’s no attempt or time limit. This makes it possible for unauthenticated attackers to generate and brute force the 6-digit numeric OTP that makes it possible to log in as any existing user on the site, such as an administrator, if they have access to the email.

CVSS: HIGH (8.1)

EPSS Score: 0.06%

Source: CVE
December 7th, 2024 (5 months ago)

CVE-2024-10776
SICK InspectorP61x and SICK InspectorP62x: missing authentication
Description: Lua apps can be deployed, removed, started, reloaded or stopped without authorization via AppManager. This allows an attacker to remove legitimate apps creating a DoS attack, read and write files or load apps that use all features of the product available to a customer.

CVSS: HIGH (8.2)

EPSS Score: 0.04%

Source: CVE
December 7th, 2024 (5 months ago)

CVE-2024-10774
SICK InspectorP61x and SICK InspectorP62x have unauthenticated CROWN APIs
Description: Unauthenticated CROWN APIs allow access to critical functions. This leads to the accessibility of large parts of the web application without authentication.

CVSS: HIGH (7.3)

EPSS Score: 0.04%

Source: CVE
December 7th, 2024 (5 months ago)

CVE-2024-10772
SICK InspectorP61x and SICK InspectorP62x are vulnerable for firmware modification
Description: Since the firmware update is not validated, an attacker can install modified firmware on the device. This has a high impact on the availabilty, integrity and confidentiality up to the complete compromise of the device.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
December 7th, 2024 (5 months ago)