CyberAlerts

CVE-2024-12638

Description: The Bulk Me Now! WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

EPSS Score: 0.04%

Source: CVE

January 31st, 2025 (5 months ago)

CVE-2024-12524

Clinked Client Portal <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description: The Clinked Client Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'clinked-login-button' shortcode in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE

January 31st, 2025 (5 months ago)

CVE-2024-12451

HTML5 chat <= 1.04 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description: The HTML5 chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'HTML5CHAT' shortcode in all versions up to, and including, 1.04 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE

January 31st, 2025 (5 months ago)

CVE-2024-12444

WP Dispensary <= 4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description: The WP Dispensary plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpd_menu' shortcode in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE

January 31st, 2025 (5 months ago)

CVE-2024-12409

Simple:Press Forum <= 6.10.11 - Reflected Cross-Site Scripting

Description: The Simple:Press Forum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 6.10.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.05%

Source: CVE

January 31st, 2025 (5 months ago)

CVE-2024-12400

Tourmaster < 5.3.5 - Reflected XSS

Description: The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.

EPSS Score: 0.04%

Source: CVE

January 31st, 2025 (5 months ago)

CVE-2024-12320

Team Rosters <= 4.7 - Reflected Cross-Site Scripting via 'tab'

Description: The Team Rosters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in all versions up to, and including, 4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.05%

Source: CVE

January 31st, 2025 (5 months ago)

CVE-2024-12299

System Dashboard <= 2.8.15 - Reflected Cross-Site Scripting via Filename Parameter

Description: The System Dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the Filename parameter in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.05%

Source: CVE

January 31st, 2025 (5 months ago)

CVE-2024-12269

Safe Ai Malware Protection for WP <= 1.0.17 - Missing Authorization to Unauthenticated Database Export

Description: The Safe Ai Malware Protection for WP plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db() function in all versions up to, and including, 1.0.17. This makes it possible for unauthenticated attackers to retrieve a complete dump of the site's database.

CVSS: HIGH (7.5)

EPSS Score: 0.09%

Source: CVE

January 31st, 2025 (5 months ago)

CVE-2024-12248

Out-of-bounds Write vulnerability in Contec Health CMS8000 Patient Monitor

Description: The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to send specially formatted UDP requests in order to write arbitrary data. This could result in remote code execution.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE

January 31st, 2025 (5 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-12638	Bulk Me Now <= 2.0 - Reflected XSS Description: The Bulk Me Now! WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. EPSS Score: 0.04% Source: CVE January 31st, 2025 (5 months ago)
CVE-2024-12524	Clinked Client Portal <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting Description: The Clinked Client Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'clinked-login-button' shortcode in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVSS: MEDIUM (6.4) EPSS Score: 0.05% Source: CVE January 31st, 2025 (5 months ago)
CVE-2024-12451	HTML5 chat <= 1.04 - Authenticated (Contributor+) Stored Cross-Site Scripting Description: The HTML5 chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'HTML5CHAT' shortcode in all versions up to, and including, 1.04 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVSS: MEDIUM (6.4) EPSS Score: 0.05% Source: CVE January 31st, 2025 (5 months ago)
CVE-2024-12444	WP Dispensary <= 4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Description: The WP Dispensary plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpd_menu' shortcode in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVSS: MEDIUM (6.4) EPSS Score: 0.05% Source: CVE January 31st, 2025 (5 months ago)
CVE-2024-12409	Simple:Press Forum <= 6.10.11 - Reflected Cross-Site Scripting Description: The Simple:Press Forum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 6.10.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVSS: MEDIUM (6.1) EPSS Score: 0.05% Source: CVE January 31st, 2025 (5 months ago)
CVE-2024-12400	Tourmaster < 5.3.5 - Reflected XSS Description: The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting. EPSS Score: 0.04% Source: CVE January 31st, 2025 (5 months ago)
CVE-2024-12320	Team Rosters <= 4.7 - Reflected Cross-Site Scripting via 'tab' Description: The Team Rosters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in all versions up to, and including, 4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVSS: MEDIUM (6.1) EPSS Score: 0.05% Source: CVE January 31st, 2025 (5 months ago)
CVE-2024-12299	System Dashboard <= 2.8.15 - Reflected Cross-Site Scripting via Filename Parameter Description: The System Dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the Filename parameter in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link. CVSS: MEDIUM (6.1) EPSS Score: 0.05% Source: CVE January 31st, 2025 (5 months ago)
CVE-2024-12269	Safe Ai Malware Protection for WP <= 1.0.17 - Missing Authorization to Unauthenticated Database Export Description: The Safe Ai Malware Protection for WP plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db() function in all versions up to, and including, 1.0.17. This makes it possible for unauthenticated attackers to retrieve a complete dump of the site's database. CVSS: HIGH (7.5) EPSS Score: 0.09% Source: CVE January 31st, 2025 (5 months ago)
CVE-2024-12248	Out-of-bounds Write vulnerability in Contec Health CMS8000 Patient Monitor Description: The affected product is vulnerable to an out-of-bounds write, which could allow an attacker to send specially formatted UDP requests in order to write arbitrary data. This could result in remote code execution. CVSS: CRITICAL (9.3) EPSS Score: 0.04% Source: CVE January 31st, 2025 (5 months ago)