Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-10056
Contact Form Builder <= 4.10.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via livesite-pay Shortcode
Description: The Contact Form Builder by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's livesite-pay shortcode in all versions up to, and including, 4.10.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
December 6th, 2024 (4 months ago)

CVE-2023-2996
Jetpack < 12.1.1 - Author+ Arbitrary File Manipulation via API
Description: The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.

CVSS: LOW (0.0)

EPSS Score: 0.37%

Source: CVE
December 6th, 2024 (4 months ago)

CVE-2024-8962
WPBITS Addons For Elementor Page Builder <= 1.5.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Description: The WPBITS Addons For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

CVSS: MEDIUM (6.4)

EPSS Score: 0.07%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-54221
WordPress FAT Services Booking plugin <= 5.6 - Unauthenticated SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Roninwp FAT Services Booking.This issue affects FAT Services Booking: from n/a through 5.6.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-5020
Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library
Description: Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.13%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-49232
WordPress El mejor Cluster plugin <= 1.1.15 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Javier Loureiro El mejor Cluster allows DOM-Based XSS.This issue affects El mejor Cluster: from n/a through 1.1.15.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-4900
SEOPress < 7.8 - Contributor+ Open Redirect
Description: The SEOPress WordPress plugin before 7.8 does not validate and escape one of its Post settings, which could allow contributor and above role to perform Open redirect attacks against any user viewing a malicious post

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-12099
Dollie Hub – Build Your Own WordPress Cloud Platform <= 6.2.0 - Authenticated (Contributor+) Post Disclosure
Description: The Dollie Hub – Build Your Own WordPress Cloud Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.2.0 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-11952
Classic Addons – WPBakery Page Builder <= 3.0 - Authenticated (Contributor+) Limited Local PHP File Inclusion
Description: The Classic Addons – WPBakery Page Builder plugin for WordPress is vulnerable to Limited Local PHP File Inclusion in all versions up to, and including, 3.0 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The vulnerability is limited to PHP files in a Windows environment.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE
December 5th, 2024 (5 months ago)

CVE-2024-11935
Email Address Obfuscation <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter
Description: The Email Address Obfuscation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.07%

Source: CVE
December 5th, 2024 (5 months ago)