8.8
CVE-2024-12771 - eCommerce Product Catalog Plugin for WordPress <= 3.3.43 - Cross-Site Request Forgery to Password Rβ¦
The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.43. This is due to missing or incorrect nonce validation on the 'customer_panel_password_reset' function. This makes it possible for unauthenβ¦
8.8
CVE-2024-12066 - SMSA Shipping(official) <= 2.3 - Authenticated (Subscriber+) Arbitrary File Deletion
The SMSA Shipping(official) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the smsa_delete_label() function in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and abovβ¦
6.1
CVE-2024-11287 - Ebook Store <= 5.8001 - Reflected Cross-Site Scripting
The Ebook Store plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.8001. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages thβ¦
6.1
CVE-2024-11607 - GTPayment Donations <= 1.0.0 - Stored XSS via CSRF
The GTPayment Donations WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
7.3
CVE-2024-11977 - kk Star Ratings β Rate Post & Collect User Feedbacks <= 5.4.10 - Unauthenticated Arbitrary Shortcodβ¦
The The kk Star Ratings β Rate Post & Collect User Feedbacks plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.4.10. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shβ¦
6.9
CVE-2024-12846 - Emlog Pro link.php cross site scripting
A vulnerability, which was classified as problematic, has been found in Emlog Pro up to 2.4.1. Affected by this issue is some unknown functionality of the file /admin/link.php. The manipulation of the argument siteurl/icon leads to cross site scripting. The attack may be launched remotely. The explβ¦
9.8
CVE-2024-11349 - AdForest <= 5.1.6 - Authentication Bypass
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the sb_login_user_with_otp_fun() function. This makes it possible for unauthenβ¦
5.3
CVE-2023-31280 - Exposure of Sensitive Information to an Unauthorized Actor
An AirVantage online Warranty Checker tool vulnerability could allow an attacker to perform bulk enumeration of IMEI and Serial Numbers pairs. The AirVantage Warranty Checker is updated to no longer return the IMEI and Serial Number in addition to the warranty status when the Serial Number or IMEβ¦
8.1
CVE-2023-31279 - Improper Authentication
The AirVantage platform is vulnerable to an unauthorized attacker registering previously unregistered devices on the AirVantage platform when the owner has not disabled the AirVantage Management Service on the devices or registered the device. This could enable an attacker to configure, manage, β¦
6.1
CVE-2024-11811 - Feedify β Web Push Notifications <= 2.4.2 - Reflected Cross-Site Scripting
The Feedify β Web Push Notifications plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'platform', 'phone', 'email', and 'store_url' parameters. in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible β¦