CyberAlerts

CVE-2023-2221

Description: The WP Custom Cursors WordPress plugin before 3.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.

CVSS: LOW (0.0)

EPSS Score: 0.09%

Source: CVE

December 13th, 2024 (6 months ago)

CVE-2023-0368

Responsive Tabs For WPBakery Page Builder <= 1.1 - Contributor+ Stored XSS

Description: The Responsive Tabs For WPBakery Page Builder (formerly Visual Composer) WordPress plugin through 1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

CVSS: LOW (0.0)

EPSS Score: 0.06%

Source: CVE

December 13th, 2024 (6 months ago)

CVE-2024-11972

WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins

Description: Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks. The flaw, tracked as CVE-2024-11972 (CVSS score: 9.8), affects all versions of the plugin prior to 1.9.0. The plugin has over 10,000 active installations. "This flaw poses a significant security risk, as it

EPSS Score: 0.04%

Source: TheHackerNews

December 12th, 2024 (6 months ago)

CVE-2024-54269

WordPress Notibar plugin <= 2.1.4 - Broken Access Control vulnerability

Description: Missing Authorization vulnerability in Ninja Team Notibar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notibar: from n/a through 2.1.4.

CVSS: MEDIUM (4.3)

EPSS Score: 0.04%

Source: CVE

December 12th, 2024 (6 months ago)

CVE-2024-12325

Waymark <= 1.4.1 - Reflected Cross-Site Scripting via 'content'

Description: The Waymark plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.06%

Source: CVE

December 12th, 2024 (6 months ago)

CVE-2024-12294

Last Viewed Posts by WPBeginner <= 1.0.1 - Unauthenticated Sensitive Information Exposure

Description: The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the 'get_legacy_cookies' function. This makes it possible for unauthenticated attackers to extract sensitive data including titles and permalinks of private, password-protected, pending, and draft posts.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE

December 12th, 2024 (6 months ago)

CVE-2024-12283

WP Pipes <= 1.4.1 - Reflected Cross-Site Scripting via x1 Parameter

Description: The WP Pipes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘x1’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.05%

Source: CVE

December 12th, 2024 (6 months ago)

CVE-2024-12004

WPC Order Notes for WooCommerce <= 1.5.2 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

Description: The WPC Order Notes for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.2. This is due to missing or incorrect nonce validation on the ajax_update_order_note() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.05%

Source: CVE

December 12th, 2024 (6 months ago)

CVE-2024-11840

RapidLoad – Optimize Web Vitals Automatically <= 2.4.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL ...

Description: The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucss_data, update_rapidload_settings, wp_ajax_update_htaccess_file, uucss_update_rule, upload_rules, get_all_rules, update_titan_settings, preload_page, and activate_module functions in all versions up to, and including, 2.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or conduct SQL injection attacks.

CVSS: HIGH (7.1)

EPSS Score: 0.05%

Source: CVE

December 12th, 2024 (6 months ago)

CVE-2024-11351

Restrict – membership, site, content and user access restrictions for WordPress <= 2.2.8 - Unauthenticated Content Restriction Bypass to Sensitive ...

Description: The Restrict – membership, site, content and user access restrictions for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.8 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE

December 12th, 2024 (6 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2023-2221	WP Custom Cursors < 3.2 - Admin+ SQLi Description: The WP Custom Cursors WordPress plugin before 3.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin. CVSS: LOW (0.0) EPSS Score: 0.09% Source: CVE December 13th, 2024 (6 months ago)
CVE-2023-0368	Responsive Tabs For WPBakery Page Builder <= 1.1 - Contributor+ Stored XSS Description: The Responsive Tabs For WPBakery Page Builder (formerly Visual Composer) WordPress plugin through 1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks CVSS: LOW (0.0) EPSS Score: 0.06% Source: CVE December 13th, 2024 (6 months ago)
CVE-2024-11972	WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins Description: Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks. The flaw, tracked as CVE-2024-11972 (CVSS score: 9.8), affects all versions of the plugin prior to 1.9.0. The plugin has over 10,000 active installations. "This flaw poses a significant security risk, as it EPSS Score: 0.04% Source: TheHackerNews December 12th, 2024 (6 months ago)
CVE-2024-54269	WordPress Notibar plugin <= 2.1.4 - Broken Access Control vulnerability Description: Missing Authorization vulnerability in Ninja Team Notibar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notibar: from n/a through 2.1.4. CVSS: MEDIUM (4.3) EPSS Score: 0.04% Source: CVE December 12th, 2024 (6 months ago)
CVE-2024-12325	Waymark <= 1.4.1 - Reflected Cross-Site Scripting via 'content' Description: The Waymark plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVSS: MEDIUM (6.1) EPSS Score: 0.06% Source: CVE December 12th, 2024 (6 months ago)
CVE-2024-12294	Last Viewed Posts by WPBeginner <= 1.0.1 - Unauthenticated Sensitive Information Exposure Description: The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the 'get_legacy_cookies' function. This makes it possible for unauthenticated attackers to extract sensitive data including titles and permalinks of private, password-protected, pending, and draft posts. CVSS: MEDIUM (5.3) EPSS Score: 0.05% Source: CVE December 12th, 2024 (6 months ago)
CVE-2024-12283	WP Pipes <= 1.4.1 - Reflected Cross-Site Scripting via x1 Parameter Description: The WP Pipes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘x1’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVSS: MEDIUM (6.1) EPSS Score: 0.05% Source: CVE December 12th, 2024 (6 months ago)
CVE-2024-12004	WPC Order Notes for WooCommerce <= 1.5.2 - Cross-Site Request Forgery to Reflected Cross-Site Scripting Description: The WPC Order Notes for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.2. This is due to missing or incorrect nonce validation on the ajax_update_order_note() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSS: MEDIUM (6.1) EPSS Score: 0.05% Source: CVE December 12th, 2024 (6 months ago)
CVE-2024-11840	RapidLoad – Optimize Web Vitals Automatically <= 2.4.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL ... Description: The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucss_data, update_rapidload_settings, wp_ajax_update_htaccess_file, uucss_update_rule, upload_rules, get_all_rules, update_titan_settings, preload_page, and activate_module functions in all versions up to, and including, 2.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or conduct SQL injection attacks. CVSS: HIGH (7.1) EPSS Score: 0.05% Source: CVE December 12th, 2024 (6 months ago)
CVE-2024-11351	Restrict – membership, site, content and user access restrictions for WordPress <= 2.2.8 - Unauthenticated Content Restriction Bypass to Sensitive ... Description: The Restrict – membership, site, content and user access restrictions for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.8 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. CVSS: MEDIUM (5.3) EPSS Score: 0.05% Source: CVE December 12th, 2024 (6 months ago)