4.4
CVE-2024-12581 - Kadence Blocks <= 3.2.53 - Authenticated (Admin+) Stored Cross-Site Scripting
The Gutenberg Blocks with AI by Kadence WP β Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.53 due to insufficient input sanitization and output escaping. This makes it possible for authenticated aβ¦
5.7
CVE-2024-21543 -
Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checksβ¦
7.7
CVE-2024-21544 -
Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due to improper URL validation in the setUrl method. An attacker can exploit this vulnerability by using leading whitespace (%20) before the file:// protocol, resulting in Local File Inclusion, whicβ¦
6.1
CVE-2024-11809 - Primer MyData for Woocommerce <= 4.2.1 - Reflected Cross-Site Scripting
The Primer MyData for Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'img_src' parameter in all versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject aβ¦
5.3
CVE-2024-12579 - Minify HTML <= 2.1.10 - - Regular Expressions Denial of Service
The Minify HTML plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 2.1.10. This is due to processing user-supplied input as a regular expression. This makes it possible for unauthenticated attackers to create comments that can cβ¦
5.4
CVE-2024-12574 - SVG Shortcode <= 1.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload
The SVG Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in paβ¦
6.4
CVE-2024-11767 - NewsmanApp <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
The NewsmanApp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'newsman_subscribe_widget' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for autheβ¦
6.5
CVE-2019-25221 - Responsive Filterable Portfolio <=1.0.8 - Authenticated (Admin+) SQL Injection
The Responsive Filterable Portfolio plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possiblβ¦
3.7
CVE-2024-12300 - AR for WordPress <= 7.3 - Missing Authorization to Unauthenticated Limited File Upload
The AR for WordPress plugin for WordPress is vulnerable to unauthorized double extension file upload due to a missing capability check on the set_ar_featured_image() function in all versions up to, and including, 7.3. This makes it possible for unauthenticated attackers to upload php files leveragiβ¦
6.1
CVE-2024-12572 - Hello in All Languages <= 1.0.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The Hello In All Languages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious wβ¦