8.8
CVE-2024-10673 - Top Store <= 1.5.4 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
The Top Store theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the top_store_install_and_activate_callback() function in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with subscriber-β¦
6.4
CVE-2024-8960 - Cowidgets β Elementor Addons <= 1.2.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVGβ¦
The Cowidgets β Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level accesβ¦
5.3
CVE-2024-10779 - Cowidgets β Elementor Addons <= 1.2.0 - Authenticated (Contributor+) Post Disclosure
The Cowidgets β Elementor Addons plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.0 via the 'ce_template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributβ¦
6.5
CVE-2024-10294 - CE21 Suite <= 2.2.0 - Missing Authorization to Unauthenticated Plugin Settings Change
The CE21 Suite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ce21_single_sign_on_save_api_settings' function in versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to change plugin settings.
5.5
CVE-2024-9775 - Anih - Creative Agency WordPress Theme <= 2024 - Authenticated (Administrator+) Stored Cross-Site Sβ¦
The Anih - Creative Agency WordPress Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2024 due to an incomplete blacklist, insufficient input sanitization, and output escaping. This makes it possible for authenticated atβ¦
9.8
CVE-2024-10285 - CE21 Suite <= 2.2.0 - JWT Token Disclosure
The CE21 Suite plugin for WordPress is vulnerable to sensitive information disclosure via the plugin-log.txt in versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to log in the user associated with the JWT token.
9.8
CVE-2024-10586 - Debug Tool <= 2.2 - Unauthenticated Arbitrary File Creation
The Debug Tool plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the dbt_pull_image() function and missing file type validation in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to to create arbitrary filβ¦
9.8
CVE-2024-10284 - CE21 Suite <= 2.2.0 - Authentication Bypass
The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, β¦
4.3
CVE-2024-10588 - Debug Tool <= 2.2 - Missing Authorization to Information Exposure
The Debug Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the info() function in all versions up to, and including, 2.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to obtain information fromβ¦
6.5
CVE-2024-9262 - User Meta β User Profile Builder and User management plugin <= 3.1.1 - Insecure Direct Object Referβ¦
The User Meta β User Profile Builder and User management plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.1.1 via the getUser() due to missing validation on a user controlled key. This makes it possible for authenticated attackersβ¦