Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-11827
Out of the Block: OpenStreetMap <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via ootb_query Shortcode
Description: The Out of the Block: OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ootb_query shortcode in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-11809
Primer MyData for Woocommerce <= 4.2.1 - Reflected Cross-Site Scripting
Description: The Primer MyData for Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'img_src' parameter in all versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.05%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-11767
NewsmanApp <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The NewsmanApp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'newsman_subscribe_widget' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.07%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-11754
Booking System Trafft <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Booking System Trafft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trafftbooking' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-11275
WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.27 - Missing Authorization to Authenticated (Subscriber+) ...
Description: The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-11012
Notibar – Notification Bar for WordPress <= 2.1.4 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via njt_nofi_text
Description: The The Notibar – Notification Bar for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via njt_nofi_text AJAX action in all versions up to, and including, 2.1.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

CVSS: MEDIUM (6.3)

EPSS Score: 0.07%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2023-44149
WordPress Brands for WooCommerce plugin <= 3.8.2.2 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in BeRocket Brands for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Brands for WooCommerce: from n/a through 3.8.2.2.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2023-44147
WordPress Comment Blacklist Updater plugin <= 1.1.0 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in Apasionados Comment Blacklist Updater allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comment Blacklist Updater: from n/a through 1.1.0.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2023-44142
WordPress Inactive Logout plugin <= 3.2.2 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in Inactive Logout Inactive Logout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Inactive Logout: from n/a through 3.2.2.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2023-41952
WordPress Fluent Forms plugin <= 5.0.8 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in Contact Form - WPManageNinja LLC FluentForm allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentForm: from n/a through 5.0.8.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
December 14th, 2024 (4 months ago)