Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-11219
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 3.0.6 - Unauthetnicated Path Traversal to Arbitrary Image View
Description: The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.0.6 via the get_image function. This makes it possible for unauthenticated attackers to view arbitrary images on the server, which can contain sensitive information.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-11083
ProfilePress <= 4.15.18 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Description: The ProfilePress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.15.18 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-11025
SMA: SQL injection in Sunny Central UP
Description: An authenticated attacker with low privileges may use a SQL Injection vulnerability in the affected products administration panel to gain read and write access to a specific log file of the device.

CVSS: MEDIUM (5.4)

EPSS Score: 0.05%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-11009
Internal Linking for SEO traffic & Ranking – Auto internal links (100% automatic) <= 1.2.1 - Authenticated (Administrator+) SQL Injection vi...
Description: The Internal Linking for SEO traffic & Ranking – Auto internal links (100% automatic) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘post_id’ parameter in all versions up to, and including, 1.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (4.9)

EPSS Score: 0.06%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-10895
Counter Up – Animated Number Counter & Milestone Showcase <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Counter Up – Animated Number Counter & Milestone Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lgx-counter' shortcode in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-10580
Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.5 - Missing Authorization to Unauthorized Form Submission
Description: The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized form submissions due to a missing capability check on the submit_form() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to submit unpublished forms.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-10521
WordPress Contact Forms by Cimatti <= 1.9.2 - Cross-Site Request Forgery via process_bulk_action Function
Description: The WordPress Contact Forms by Cimatti plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on the process_bulk_action function. This makes it possible for unauthenticated attackers to delete forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-10175
Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via wdo_pr...
Description: The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wdo_pricing_tables shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2023-6832
Business Logic Errors in microweber/microweber
Description: Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.

CVSS: MEDIUM (6.0)

EPSS Score: 0.05%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2023-6804
Improper Privilege Management allows for arbitrary workflows to be run
Description: Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped PAT. To exploit this, a workflow must have already existed in the target repo. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE
November 28th, 2024 (5 months ago)