Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-11254 |
Description: The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the disqus_name parameter in all versions up to, and including, 1.1.1 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS: MEDIUM (6.1) EPSS Score: 0.05%
December 19th, 2024 (4 months ago)
|
|
CVE-2024-10892 |
Description: The Cost Calculator Builder WordPress plugin before 3.2.43 does not have CSRF checks in some AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.
EPSS Score: 0.04%
December 19th, 2024 (4 months ago)
|
|
CVE-2023-47511 |
Description: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SO WP Pinyin Slugs plugin <= 2.3.0 versions.
CVSS: MEDIUM (5.9) EPSS Score: 0.05%
December 19th, 2024 (4 months ago)
|
|
CVE-2023-47245 |
Description: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Marco Milesi ANAC XML Viewer plugin <= 1.7 versions.
CVSS: MEDIUM (5.9) EPSS Score: 0.05%
December 19th, 2024 (4 months ago)
|
|
Description: A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials.
The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to "mysterious unattributed threat") by Datadog Security Labs, that
December 18th, 2024 (4 months ago)
|
|
CVE-2024-9654 |
Description: The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased.
CVSS: LOW (3.7) EPSS Score: 0.05%
December 18th, 2024 (4 months ago)
|
|
CVE-2024-9624 |
Description: The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxi_curl_download function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On cloud platforms, it might allow attackers to read the Instance metadata.
CVSS: HIGH (7.6) EPSS Score: 0.05%
December 18th, 2024 (4 months ago)
|
|
CVE-2024-8326 |
Description: The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 241114 via the 'sc_get_details' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including user data and database configuration information, which can lead to reading, updating, or dropping database tables. The vulnerability was partially patched in version 241114.
CVSS: HIGH (8.8) EPSS Score: 0.07%
December 18th, 2024 (4 months ago)
|
|
CVE-2024-12601 |
Description: The Calculated Fields Form plugin for WordPress is vulnerable to Denial of Service in all versions up to, and including, 5.2.63. This is due to unlimited height and width parameters for CAPTCHA images. This makes it possible for unauthenticated attackers to send multiple requests with large values, resulting in slowing server resources if the server does not mitigate Denial of Service attacks.
CVSS: MEDIUM (5.3) EPSS Score: 0.05%
December 18th, 2024 (4 months ago)
|
|
CVE-2024-12469 |
Description: The WP BASE Booking of Appointments, Services and Events plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘status’ parameter in all versions up to, and including, 4.9.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS: MEDIUM (6.1) EPSS Score: 0.05%
December 18th, 2024 (4 months ago)
|