Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-54269
WordPress Notibar plugin <= 2.1.4 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in Ninja Team Notibar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notibar: from n/a through 2.1.4.

CVSS: MEDIUM (4.3)

EPSS Score: 0.04%

Source: CVE
December 12th, 2024 (4 months ago)

CVE-2024-12325
Waymark <= 1.4.1 - Reflected Cross-Site Scripting via 'content'
Description: The Waymark plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.06%

Source: CVE
December 12th, 2024 (4 months ago)

CVE-2024-12294
Last Viewed Posts by WPBeginner <= 1.0.1 - Unauthenticated Sensitive Information Exposure
Description: The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the 'get_legacy_cookies' function. This makes it possible for unauthenticated attackers to extract sensitive data including titles and permalinks of private, password-protected, pending, and draft posts.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
December 12th, 2024 (4 months ago)

CVE-2024-12283
WP Pipes <= 1.4.1 - Reflected Cross-Site Scripting via x1 Parameter
Description: The WP Pipes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘x1’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.05%

Source: CVE
December 12th, 2024 (4 months ago)

CVE-2024-12004
WPC Order Notes for WooCommerce <= 1.5.2 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
Description: The WPC Order Notes for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.2. This is due to missing or incorrect nonce validation on the ajax_update_order_note() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.05%

Source: CVE
December 12th, 2024 (4 months ago)

CVE-2024-11840
RapidLoad – Optimize Web Vitals Automatically <= 2.4.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL ...
Description: The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucss_data, update_rapidload_settings, wp_ajax_update_htaccess_file, uucss_update_rule, upload_rules, get_all_rules, update_titan_settings, preload_page, and activate_module functions in all versions up to, and including, 2.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or conduct SQL injection attacks.

CVSS: HIGH (7.1)

EPSS Score: 0.05%

Source: CVE
December 12th, 2024 (4 months ago)

CVE-2024-11351
Restrict – membership, site, content and user access restrictions for WordPress <= 2.2.8 - Unauthenticated Content Restriction Bypass to Sensitive ...
Description: The Restrict – membership, site, content and user access restrictions for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.8 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
December 12th, 2024 (4 months ago)

CVE-2024-11008
Members <= 3.2.10 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Description: The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.10 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
December 12th, 2024 (4 months ago)

CVE-2023-2811
AI ChatBot < 4.5.6 - Admin+ Stored Cross-Site Scripting
Description: The AI ChatBot WordPress plugin before 4.5.6 does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks to all admin when setting chatbot and all client when using chatbot

CVSS: LOW (0.0)

EPSS Score: 0.05%

Source: CVE
December 12th, 2024 (4 months ago)

CVE-2023-2751
Upload Resume <= 1.2.0 - Captcha Bypass
Description: The Upload Resume WordPress plugin through 1.2.0 does not validate the captcha parameter when uploading a resume via the resume_upload_form shortcode, allowing unauthenticated visitors to upload arbitrary media files to the site.

CVSS: LOW (0.0)

EPSS Score: 0.08%

Source: CVE
December 12th, 2024 (4 months ago)