Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-12560 |
Description: The Button Block – Get fully customizable & multi-functional buttons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via the 'btn_block_duplicate_post' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract potentially sensitive data from draft, scheduled (future), private, and password protected posts.
CVSS: MEDIUM (4.3) EPSS Score: 0.05%
December 20th, 2024 (4 months ago)
|
|
CVE-2024-11768 |
Description: The Download Manager plugin for WordPress is vulnerable to unauthorized download of password-protected content due to improper password validation on the checkFilePassword function in all versions up to, and including, 3.3.03. This makes it possible for unauthenticated attackers to download password-protected files.
CVSS: MEDIUM (5.3) EPSS Score: 0.05%
December 20th, 2024 (4 months ago)
|
|
CVE-2024-55997 |
WordPress Order Delivery & Pickup Location Date Time plugin <= 1.1.0 - Settings Change vulnerability
Description: Missing Authorization vulnerability in Web Chunky Order Delivery & Pickup Location Date Time allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Delivery & Pickup Location Date Time: from n/a through 1.1.0.
CVSS: MEDIUM (6.5) EPSS Score: 0.04%
December 19th, 2024 (4 months ago)
|
|
CVE-2024-52485 |
Description: Missing Authorization vulnerability in Yudiz Solutions Ltd. WP Menu Image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Menu Image: from n/a through 2.2.
CVSS: MEDIUM (6.5) EPSS Score: 0.04%
December 19th, 2024 (4 months ago)
|
|
CVE-2024-12596 |
Description: The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to arbitrary post deletion due to a missing capability check on the 'llms_delete_cert' action in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.
CVSS: MEDIUM (4.3) EPSS Score: 0.05%
December 19th, 2024 (4 months ago)
|
|
CVE-2024-12554 |
Description: The Peter’s Custom Anti-Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing nonce validation on the cas_register_post() function. This makes it possible for unauthenticated attackers to blacklist emails via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS: MEDIUM (5.4) EPSS Score: 0.05%
December 19th, 2024 (4 months ago)
|
|
CVE-2024-12513 |
Description: The Contests by Rewards Fuel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'RF_CONTEST' shortcode in all versions up to, and including, 2.0.65 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.05%
December 19th, 2024 (4 months ago)
|
|
CVE-2024-12500 |
Description: The Philantro – Donations and Donor Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'donate' in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.1%
December 19th, 2024 (4 months ago)
|
|
CVE-2024-12454 |
Description: The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS: MEDIUM (6.1) EPSS Score: 0.06%
December 19th, 2024 (4 months ago)
|
|
CVE-2024-12449 |
Description: The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_player_html' shortcode in all versions up to, and including, 2.6.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.05%
December 19th, 2024 (4 months ago)
|