Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-11814
Additional Custom Order Status for WooCommerce <= 1.6.0 - Reflected Cross-Site Scripting
Description: The Additional Custom Order Status for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the wfwp_wcos_delete_finished, wfwp_wcos_delete_fallback_finished, wfwp_wcos_delete_fallback_orders_updated, and wfwp_wcos_delete_fallback_status parameters in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.05%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-11813
Pulsating Chat Button <= 1.3.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Description: The Pulsating Chat Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6. This is due to missing or incorrect nonce validation on the amin_chat_button_settings_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.05%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-11807
NPS computy <= 2.8.0 - Reflected Cross-Site Scripting
Description: The NPS computy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'data1' and 'data2' parameters in all versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.05%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-11769
Flower Delivery by Florist One <= 3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Flower Delivery by Florist One plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flower-delivery' shortcode in all versions up to, and including, 3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-11747
Responsive Videos <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Responsive Videos plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'somryv' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-11643
Accessibility by AllAccessible <= 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Update
Description: The Accessibility by AllAccessible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'AllAccessible_save_settings' function in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CVSS: HIGH (8.8)

EPSS Score: 0.05%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-11581
Luxion KeyShot JT File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
Description: Luxion KeyShot JT File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of jt files. The issue results from the lack of proper validation of user-supplied data, which can result in a read before the start of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23826.

CVSS: HIGH (7.8)

EPSS Score: 0.05%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-11580
Luxion KeyShot ABC File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Description: Luxion KeyShot ABC File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of abc files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23700.

CVSS: HIGH (7.8)

EPSS Score: 0.05%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-11579
Luxion KeyShot OBJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
Description: Luxion KeyShot OBJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of obj files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23697.

CVSS: HIGH (7.8)

EPSS Score: 0.05%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-11578
Luxion KeyShot 3DS File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
Description: Luxion KeyShot 3DS File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of 3DS files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23693.

CVSS: HIGH (7.8)

EPSS Score: 0.06%

Source: CVE
December 5th, 2024 (5 months ago)